Re: [mod-security-users] Ignoring the referer?

[Ryan B. <Rya...@Br...>]

> -----Original Message-----

> From: mod...@li... [mailto:mod-

> sec...@li...] On Behalf Of Albert E.
Whale

> Sent: Monday, September 15, 2008 10:00 PM

> To: mod...@li...

> Subject: [mod-security-users] Ignoring the referer?

> 

> A few days ago I tried to compile a new rule,

> 

> SecRule ARGS|ARGS_NAMES

>
"(http:\/.*?){4}"|!REQUEST_HEADERS:Cookie|REQUEST_COOKIES|REQUEST_COOKIE
S_

> NAMES|!REQUEST_COOKIES_NAMES:/wgsession$/\

> 

>
"phase:2,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t
:l

>
owercase,ctl:auditLogParts=+E,deny,log,auditlog,status:400,msg:'Comment

> Spam',id:'6',severity:'3'"

> 

> However this reports an error.

> 

>  Syntax error on line 35 of

> /etc/httpd/conf/modsecurity/modsecurity_crs_61_customrules.conf:

> SecRule takes two or three arguments, rule target, operator and
optional

> action list

> 

> What is wrong with this?

> 

> This is supposed to permit this event in the event of an issue with
the

> Logged in user using WebGUI.

> 

> I think that attempting to understand why this did not work would be

> better than permitting the ?func-edit by the referer.

> 

> Thank you in advance.

[Ryan Barnett] Please review the format for SecRule -
http://www.modsecurity.org/documentation/modsecurity-apache/2.5.6/modsec
urity2-apache-reference.html#N1086C.  What you are trying to do is to
exclude a specific variable from the variable list.  Proper format of
the rules is one topic, however for you specific scenario, you can use
another approach.  Essentially, you are saying that that Comment SPAM
rule is causing some false positive hits when the *wgSession" cookie is
present (meaning that someone is logged in).  So, what you can do is
simply create a rule to evaluate if that Cookie is present and if it is
use the "ctl" action to dynamically disable the existing rule -

 

SecRule &REQUEST_COOKIES_NAMES:'/wgSession$/' "@ge 1"
"phase:1,t:none,nolog,pass,ctl:ruleRemoveById=950002"