Re: [mod-security-users] false positive rule update
Brought to you by:
victorhora,
zimmerletw
From: Christian B. <ch...@jw...> - 2009-02-12 13:29:03
|
Hi Roger! Am 12.02.2009 um 13:49 schrieb Roger Munk: > Thanks for the three options you suggested. Based on the three, is > there a perfered method? Which method would introduce the least > overhead? The overhead should be low in any of the tree solutions. > If I'm making all changes in the > modsecurity_crs_60_PostFilteringRules.conf file, would I just need to > add in a SecDefaultAction "log,pass,phase:2,status:200 for this option > to work? You don't need to. I'd simply add the following lines to the modsecurity_crs_60_PostFilteringRules.conf <LocationMatch "^/PathTo/Script\sCausing\sFalsePositive$"> SecRemoveRuleById 970015 </LocationMatch> which should be sufficient. I do favor this setup for readabilty. However, with this approach you can only remove rule in phase-2 or later as Apache does not process the LocationMatch directive in phase-1. If you need to remove phase-1-rules, you need to do this like follows: SecRule REQUEST_URI "/path/to/special/uri" "phase:1,chain" SecRemoveRuleById <rule-id-to-remove> Regards, Chris |