Re: [mod-security-users] disable rule based on arg - Email found in subject - Email found in subjec
Brought to you by:
victorhora,
zimmerletw
From: Brian R. <Bri...@br...> - 2009-10-25 19:15:47
|
No way to do that whiout a skip to emulate an OR operation. Did you see my other option as well? SecRule ARGS:option "^com_resize$" "pass,nolog,phase:1,ctl:ruleRemoveById=1234" SecRule ARGS|ARGS_NAMES "^http:/" "id:1234,..." -B Leon Bogaert wrote: > Hi Brian, > > The first rule indeed needs an option arg. > Is it possible to chain another rule so the option arg is not required? > > I know have this: > SecRule ARGS:option "^com_resize$" "pass,skip:1" > SecRule ARGS|ARGS_NAMES "^http:/" > > But I like the syntax of the chain command better. > > Leon > > ________________________________________ > From: Brian Rectanus [Bri...@br...] > Sent: 24 October 2009 23:20 > To: Leon Bogaert > Cc: Christian Bockermann; mod...@li... > Subject: Re: [mod-security-users] disable rule based on arg - Email found in subject - Email found in subject > > Some other options: > > > SecRule ARGS|ARGS_NAMES "^http:/" "chain,..." > SecRule ARGS:option "!^com_resize$" > > NOTE: this may require option arg - I did not have time to verify > > OR > > SecRule ARGS:option "^com_resize$" "pass,nolog,phase:1,ctl:ruleRemoveById=1234" > SecRule ARGS|ARGS_NAMES "^http:/" "id:1234,..." > > later, > -B > > > > Leon Bogaert wrote: > > Hi Christian, > > Thank you very much! I'm gonna try this tomorrow! > > Leon > > ________________________________________ > From: Christian Bockermann [ch...@jw...<mailto:ch...@jw...>] > Sent: 24 October 2009 13:07 > To: Leon Bogaert > Cc: mod...@li...<mailto:mod...@li...> > Subject: Re: [mod-security-users] disable rule based on arg - Email found in subject > > Hi Leon, > > you could for instance use the "skip" action: > > SecRule ARGS:option "^com_resize$" "skip:1" > SecRule ARGS|ARGS_NAMES "^http:/" > > The first rule should skip the evaluation of the second one if > option=='com_resize'. > > As you second rule seems to watch for remote references, you may want > to make sure to limit > the possible allowed remote-references for requests containing > "option=='com_resize'" instead > of completely skipping this rule. > > Best regards, > Chris > > > Am 23.10.2009 um 13:39 schrieb Leon Bogaert: > > > > Hi all, > > I have this rule for mod_security2: > SecRule ARGS|ARGS_NAMES "^http:/" > > But I would like to disable it if the "option" arg == 'com_resize' > So if the request containst option=com_resize I would like to > disable the above rule. > > I tried searching on google but I only found out how to disable > specific rules for specific locations. > > Thanks in advance! > > Leon > > ------------------------------------------------------------------------------ > Come build with us! The BlackBerry(R) Developer Conference in SF, CA > is the only developer event you need to attend this year. Jumpstart > your > developing skills, take BlackBerry mobile applications to market and > stay > ahead of the curve. Join us from November 9 - 12, 2009. Register now! > http://p.sf.net/sfu/devconference > _______________________________________________ > mod-security-users mailing list > mod...@li...<mailto:mod...@li...> > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Appliances, Rule Sets and Support: > http://www.modsecurity.org/breach/index.html > > > > > ------------------------------------------------------------------------------ > Come build with us! The BlackBerry(R) Developer Conference in SF, CA > is the only developer event you need to attend this year. Jumpstart your > developing skills, take BlackBerry mobile applications to market and stay > ahead of the curve. Join us from November 9 - 12, 2009. Register now! > http://p.sf.net/sfu/devconference > _______________________________________________ > mod-security-users mailing list > mod...@li...<mailto:mod...@li...> > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Appliances, Rule Sets and Support: > http://www.modsecurity.org/breach/index.html > > > > -- > Brian Rectanus > Breach Security > > -- Brian Rectanus Breach Security |