[mod-security-users] custom rules
Brought to you by:
victorhora,
zimmerletw
From: <ja...@je...> - 2010-04-08 11:12:32
|
Hi, >From the documents: It is highly encouraged that you do not edit the Core rules files themselves but rather place all changes (such as SecRuleRemoveByID, etc...) in your custom rules file modsecurity_crs_15_customrules.conf Thus i create a file modsecurity_crs_15_customrules.conf and try to remove a rule that cause blocking. But it don't work: Example Usage: SecRuleRemoveByID 1 2 "9000-9010" Example Usage: SecRuleRemoveByMsg "FAIL" if i want to block rule: SecRule REQUEST_METHOD "^(?:GET|HEAD)$" "chain,phase:2,t:none,block,nolog,auditlog,status:400,msg:'GET or HEAD requests with bodies', severity:'2',id:'960011',tag:'PROTOCOL_VIOLATION/EVASION'" SecRule REQUEST_HEADERS:Content-Length "!^0?$" "t:none,setvar:'tx.msg=%{rule.msg}',setvar:tx.protocol_violation_score=+1,setvar:tx.anomaly_score=+5,setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/INVALID_HREQ-%{matched_var_name}=%{matched_var}" then i wrote this in modsecurity_crs_15_customrules.conf and place in /usr/local/apache/conf/modsecurity/base_rules SecRuleRemoveByID 960011 SecRuleRemoveByMsg "GET or HEAD requests with bodies" is it correct? many thanks Jay This e-mail is intended solely for the addressee. If you have received this e-mail in error, please notify the sender by reply e-mail and immediately delete it from your system. |