One more question if you'll indulge me

I have a rsub rule like so in ModSec 2.7.1
SecRule STREAM_OUTPUT_BODY "@rsub s/stuff to find//d" "phase:4,id:100003,t:none,nolog,pass,msg:'content stripped!'"

And it leaves a / in the output content

if I write the rule like this in ModSec2.6.7
SecRule STREAM_OUTPUT_BODY "@rsub s/stuff to find/ /d" "phase:4,id:100003,t:none,nolog,pass,msg:'content stripped!'"

It replaces with a space, but in 2.7.1 it returns a config error "Error creating rule: Error rsub operator parsing input data". Is this a new feature and if so, how do you replace a sting with nothing?

On Wed, Jan 16, 2013 at 4:15 PM, Scott Gerlach <> wrote:
Hmmmm, makes sense based on my testing, but just making sure I didn't miss something. Appreciate the response. 

On Wed, Jan 16, 2013 at 3:50 PM, Breno Silva <> wrote:
Yes Scott. It is required.

On Wed, Jan 16, 2013 at 6:42 PM, Scott Gerlach <> wrote:
Question about SecStreamOutBodyInspection

Documentation seems to indicate that you do not need SecResponseBodyAccess On but with it turned off debug logs indicate that the rules have nothing to match against.

Is SecResponseBodyAccess required to make SecStreamOutBodyInspection/SecContentInjection work?


Master Java SE, Java EE, Eclipse, Spring, Hibernate, JavaScript, jQuery
and much more. Keep your Java skills current with LearnJavaNow -
200+ hours of step-by-step video tutorials by Java experts.
SALE $49.99 this month only -- learn more at:
mod-security-users mailing list
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: