On Tue, Oct 29, 2013 at 11:23 PM, Macks, Aaron <amacks@harvardbusiness.org> wrote:
I'm trying to skip a rule based on a filename, and thought this config should achieve that:

SecRule REQUEST_FILENAME "^/products/.*thumbnail.gif$" "nolog,pass,ctl:RuleRemoveById=990012"

The thing is, I'm still seeing hits for that rule in the log with filenames that match

Hi Aaron,

Have you tried usingSecRuleUpdateTargetById instead, e.g.:
SecRuleUpdateTargetById 990012 "!REQUEST_FILENAME:/thumbnail\.gif/"

That directive needs to go after the 990012 rule is created.

- Josh
HEAD /products/6789H-HTM-ENG/thumbnail/thumbnail.gif HTTP/1.1
User-Agent: Jakarta Commons-HttpClient/3.1
Message: Warning. Pattern match "(?i:(?:c(?:o(?:n(?:t(?:entsmartz|actbot/)|cealed defense|veracrawler)|mpatible(?: ;(?: msie|\\.)|-)|py(?:rightcheck|guard)|re-project/1.0)|h(?:ina(?: local browse 2\\.|claw)|e(?:rrypicker|esebot))|rescent internet toolpak)|w(?:e(?:b(?: (?:downloader|by ..." at REQUEST_HEADERS:User-Agent. [file "/etc/httpd/modsecurity.d/activated_rules/modsecurity_crs_35_bad_robots.conf"] [line "27"] [id "990012"] [rev "2.2.5"] [msg "Rogue web site crawler"] [data "Jakarta"] [severity "WARNING"] [tag "AUTOMATION/MALICIOUS"] [tag "WASCTC/WASC-21"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"]

Is it because the request is HEAD and not GET?

Aaron Macks

Android is increasing in popularity, but the open development platform that
developers love is also attractive to malware creators. Download this white
paper to learn more about secure code signing practices that can help keep
Android apps secure.
mod-security-users mailing list
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: