On Thu, Sep 12, 2013 at 4:40 PM, David R <rewt@linux-elite.org> wrote:

But i still have an issue, my exclude file contains:

SecRuleUpdateTargetByTag "WEB_ATTACK/XSS" "!ARGS:password"
SecRuleUpdateTargetByTag "WEB_ATTACK/SQL_INJECTION" "!ARGS:password"
SecRuleUpdateTargetByTag "WEB_ATTACK/RESTRICTED_SQLI_CHARS" "!ARGS:password"

But i have an issue with that... my WAF is working as a reverse proxy with
several VirtualHosts. And by doing that i cannot specify for which
virtualhost my rule is right ?

Is there a way to specify VirtualHost and Location for these rules to be
more "granular".

Hi David,

You can use the (undocumented) ruleRemoveTargetByTag ctl option, e.g.:

SecRule REQUEST_URI "/login.pl" "phase:1,t:none,pass, \

Since this rule is triggered at run time, it should be specified before the rules it is disabling.

 - Josh

I tried

<Location "/login.pl">
SecRuleUpdateTargetByTag "WEB_ATTACK/XSS" "!ARGS:password"
SecRuleUpdateTargetByTag "WEB_ATTACK/SQL_INJECTION" "!ARGS:password"
SecRuleUpdateTargetByTag "WEB_ATTACK/RESTRICTED_SQLI_CHARS" "!ARGS:password"

And i got a strange "Segmentation fault"
Starting httpd: /bin/bash: line 1: 18459 Segmentation fault

Any idea on how i could solve that granularity issue ?

Kind regards,

How ServiceNow helps IT people transform IT departments:
1. Consolidate legacy IT systems to a single system of record for IT
2. Standardize and globalize service processes across IT
3. Implement zero-touch automation to replace manual, redundant tasks
mod-security-users mailing list
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: