I have a patch for this. Can i send you a tarball for testing ?



On Thu, Jul 19, 2012 at 12:49 PM, Breno Silva <breno.silva@gmail.com> wrote:
I'm already using it in 2.7.0 but this will not change the behavior. Because i need to change the ruleset. I think the only way we could do that is store the ctl:ruleUpdateTargetById fields somewhere and revert the changes in ruleset structure.

Any idea ?

On Thu, Jul 19, 2012 at 12:18 PM, rm4dillo D <rm4dillo@gmail.com> wrote:
Thanks! This is a good idea but I still think that it's not that clean specially when the documentation says :

"You could also do the same by using the ctl action. This is useful if you want to only update the targets for a particular URL"

SecRule REQUEST_FILENAME "@streq /path/to/file.php" "phase:1,t:none,nolog,pass,ctl:ruleUpdateTargetById=958895;!ARGS:email"

By the way, I also tried to use the Location directive and it worked with SecRuleRemoveById but not with SecRuleUpdateTargetById.

Are you planning to make ctl:ruleUpdateTargetById use an exception_rule like structure instead of modifying the ruleset?

On Thu, Jul 19, 2012 at 6:52 PM, Breno Silva <breno.silva@gmail.com> wrote:
> Maybe you could add two ctl:ruleUpdateTargetById ?
> #Add it for each transaction
> SecRule REQUEST_FILENAME "[a-zA-Z0-0]" "t:none,nolog,pass,ctl:ruleUpdateTargetById=973331;ARGS:id"
> #Remove it during a specific transaction
> SecRule REQUEST_FILENAME "@streq /not_vulnerable.cgi" "t:none,nolog,pass,ctl:ruleUpdateTargetById=973331;!ARGS:id"
> On Thu, Jul 19, 2012 at 11:44 AM, Breno Silva <breno.silva@gmail.com> wrote:
>> Hello,
>> Yes. This is how SecUpdateTargetById works, changing the rule structure that is created using a different memory pool that the one per-transaction.
>> On Thu, Jul 19, 2012 at 11:21 AM, rm4dillo D <rm4dillo@gmail.com> wrote:
>>> Hi,
>>> I've been trying to implement some exceptions using conditional targets appending with the "ruleUpdateTargetById" action but after the first match, the exception is applied to all the following requests, just like the "SecRuleUpdateTargetById" directive.
>>> Example:
>>> With this configuration:
>>> SecRule REQUEST_FILENAME "@streq /not_vulnerable.cgi" "t:none,nolog,pass,ctl:ruleUpdateTargetById=973331;!ARGS:id"
>>> As expected, "GET /vulnerable.cgi?id=<script>..." matches rule 973331
>>> and "GET /not_vulnerable.cgi?id=<script>..." does not match rule 973331
>>> but when we try this "GET /vulnerable.cgi?id=<script>..." again, the request does not match rule 973331 because it's target list has changed.
>>> I think that this happens because the "ruleUpdateTargetById" directly modifies the current process' "msre_ruleset" structure while the "ruleRemoveById" action which works correctly creates a "rule_exception" structure for the current request only without modify the ruleset.
>>> P.S.: it's easier to reproduce this "bug?" by settings MaxClients to 1. This should force Apache to have only one process.
>>> Thank you for your help.
>>> Rm4dillo
>>> ------------------------------------------------------------------------------
>>> Live Security Virtual Conference
>>> Exclusive live event will cover all the ways today's security and
>>> threat landscape has changed and how IT managers can respond. Discussions
>>> will include endpoint security, mobile security and the latest in malware
>>> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
>>> _______________________________________________
>>> mod-security-users mailing list
>>> mod-security-users@lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/mod-security-users
>>> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
>>> http://www.modsecurity.org/projects/commercial/rules/
>>> http://www.modsecurity.org/projects/commercial/support/