Re: [mod-security-users] whitelisting based on headers
Brought to you by:
victorhora,
zimmerletw
From: Roger M. <rog...@gm...> - 2009-06-04 19:14:52
|
On Thu, Jun 4, 2009 at 5:41 PM, Ryan Barnett <Rya...@br...> wrote: > -----Original Message----- > From: Roger Munk [mailto:rog...@gm...] > Sent: Thursday, June 04, 2009 9:56 AM > To: Mod Security > Subject: [mod-security-users] whitelisting based on headers > > I have the following rule in my modsecurity_crs_60_PostFilteringRules.conf file: > > SecRule REQUEST_HEADERS:User-Agent "Mozilla/5.0 (Windows; U; Windows > NT 5.1; id; rv:1.9.0.7) Gecko/200902 1910 Firefox/3.0.7" > "phase:1,pass,msg:'Disabling rule 950006 for > UA',ctl:ruleRemoveById=950006" > > though when I try to test the rule via the following command: > > echo -e "GET / HTTP/1.0\nHost: MyApacheBox\nUser-Agent: Mozilla/5.0 > (Windows; U; Windows NT 5.1; id; rv:1.9.0.7) Gecko/200902 1910 > Firefox/3.0.7\n\n"|nc MyApacheBox 80 > > rule 950006 still gets flagged. What am I missing? > > [Ryan Barnett] Two possible issues - > > 1) When using the ctl:ruleRemoveById action for exceptions, you need to run this rule *before* the rule you are disabling. Move this from your *60* file into a file such as modsecurity_crs_15_PreFilteringRules.conf. > > 2) Use t:none in the action line so that you do not inherit any other transformation functions such as lowercase. > Hey Ryan and Christian, Thanks for your help. Strangely enough I put a blackslash in front of the paranthesis in the regex, and that solved the problem. ~ Roger |