Re: [mod-security-users] false positive rule update
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] false positive rule update
|
From: Christian B. <ch...@jw...> - 2009-02-12 13:29:03
|
Hi Roger!
Am 12.02.2009 um 13:49 schrieb Roger Munk:
> Thanks for the three options you suggested. Based on the three, is
> there a perfered method? Which method would introduce the least
> overhead?
The overhead should be low in any of the tree solutions.
> If I'm making all changes in the
> modsecurity_crs_60_PostFilteringRules.conf file, would I just need to
> add in a SecDefaultAction "log,pass,phase:2,status:200 for this option
> to work?
You don't need to.
I'd simply add the following lines to the
modsecurity_crs_60_PostFilteringRules.conf
<LocationMatch "^/PathTo/Script\sCausing\sFalsePositive$">
SecRemoveRuleById 970015
</LocationMatch>
which should be sufficient. I do favor this setup for readabilty.
However, with this approach you can only remove rule in phase-2 or
later as Apache
does not process the LocationMatch directive in phase-1.
If you need to remove phase-1-rules, you need to do this like follows:
SecRule REQUEST_URI "/path/to/special/uri" "phase:1,chain"
SecRemoveRuleById <rule-id-to-remove>
Regards,
Chris
|