By {HTTP_HOST} you mean as a macro expansion?  No, because the regexes are pre-compiled at configuration time so they are faster.  You can use them in the string/math operators.

Examples:

"@beginsWith http://%{REQUEST_HEADERS.Host}"

"@contains
%{REQUEST_HEADERS.Host}"

"@gt %{TX.limit}"

-B

Leon Bogaert wrote:
Hi Brian,

I've now used the ruleRemoveById option. It's the most clean for now.
Another question: can I used something like {HTTP_HOST} in the regex?

Leon

________________________________________
From: Brian Rectanus [Brian.Rectanus@breach.com]
Sent: 25 October 2009 20:15
To: Leon Bogaert
Cc: Christian Bockermann; mod-security-users@lists.sourceforge.net
Subject: Re: [mod-security-users] disable rule based on arg - Email found in subject - Email found in subject

No way to do that whiout a skip to emulate an OR operation.  Did you see
my other option as well?

SecRule ARGS:option "^com_resize$"
"pass,nolog,phase:1,ctl:ruleRemoveById=1234"
SecRule ARGS|ARGS_NAMES "^http:/" "id:1234,..."

-B

Leon Bogaert wrote:
  
Hi Brian,

The first rule indeed needs an option arg.
Is it possible to chain another rule so the option arg is not required?

I know have this:
SecRule ARGS:option "^com_resize$" "pass,skip:1"
SecRule ARGS|ARGS_NAMES "^http:/"

But I like the syntax of the chain command better.

Leon

________________________________________
From: Brian Rectanus [Brian.Rectanus@breach.com]
Sent: 24 October 2009 23:20
To: Leon Bogaert
Cc: Christian Bockermann; mod-security-users@lists.sourceforge.net
Subject: Re: [mod-security-users] disable rule based on arg - Email found in subject - Email found in subject

Some other options:


SecRule ARGS|ARGS_NAMES "^http:/" "chain,..."
SecRule ARGS:option "!^com_resize$"

NOTE: this may require option arg - I did not have time to verify

OR

SecRule ARGS:option "^com_resize$" "pass,nolog,phase:1,ctl:ruleRemoveById=1234"
SecRule ARGS|ARGS_NAMES "^http:/" "id:1234,..."

later,
-B



Leon Bogaert wrote:

Hi Christian,

Thank you very much! I'm gonna try this tomorrow!

Leon

________________________________________
From: Christian Bockermann [chris@jwall.org<mailto:chris@jwall.org>]
Sent: 24 October 2009 13:07
To: Leon Bogaert
Cc: mod-security-users@lists.sourceforge.net<mailto:mod-security-users@lists.sourceforge.net>
Subject: Re: [mod-security-users] disable rule based on arg - Email found in subject

Hi Leon,

you could for instance use the "skip" action:

         SecRule ARGS:option "^com_resize$" "skip:1"
         SecRule ARGS|ARGS_NAMES "^http:/"

The first rule should skip the evaluation of the second one if
option=='com_resize'.

As you second rule seems to watch for remote references, you may want
to make sure to limit
the possible allowed remote-references for requests containing
"option=='com_resize'" instead
of completely skipping this rule.

Best regards,
      Chris


Am 23.10.2009 um 13:39 schrieb Leon Bogaert:



Hi all,

I have this rule for mod_security2:
SecRule ARGS|ARGS_NAMES "^http:/"

But I would like to disable it if the "option" arg == 'com_resize'
So if the request containst option=com_resize I would like to
disable the above rule.

I tried searching on google but I only found out how to disable
specific rules for specific locations.

Thanks in advance!

Leon

------------------------------------------------------------------------------
Come build with us! The BlackBerry(R) Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart
your
developing skills, take BlackBerry mobile applications to market and
stay
ahead of the curve. Join us from November 9 - 12, 2009. Register now!
http://p.sf.net/sfu/devconference
_______________________________________________
mod-security-users mailing list
mod-security-users@lists.sourceforge.net<mailto:mod-security-users@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Appliances, Rule Sets and Support:
http://www.modsecurity.org/breach/index.html




------------------------------------------------------------------------------
Come build with us! The BlackBerry(R) Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and stay
ahead of the curve. Join us from November 9 - 12, 2009. Register now!
http://p.sf.net/sfu/devconference
_______________________________________________
mod-security-users mailing list
mod-security-users@lists.sourceforge.net<mailto:mod-security-users@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Appliances, Rule Sets and Support:
http://www.modsecurity.org/breach/index.html



--
Brian Rectanus
Breach Security


    

--
Brian Rectanus
Breach Security
  

-- 
Brian Rectanus
Breach Security