Re: [mod-security-users] Whitespace in HTTP protocol field triggering rule?
Brought to you by:
victorhora,
zimmerletw
From: Ryan B. <RBa...@tr...> - 2011-02-25 15:02:48
|
On 2/25/11 9:55 AM, "Ray Van Dolson" <rva...@es...> wrote: >On Fri, Feb 25, 2011 at 06:37:12AM -0800, Josh Amishav-Zlatin wrote: >> On Fri, Feb 25, 2011 at 4:08 PM, Ray Van Dolson <rva...@es...> >>wrote: >> > On Thu, Feb 24, 2011 at 10:19:55PM -0800, Josh Amishav-Zlatin wrote: >> >> On Fri, Feb 25, 2011 at 3:10 AM, Ray Van Dolson >><rva...@es...> wrote: >> >> > Yes, OWA :) I should be able to upgrade ModSec and the CRS, but >>would >> >> > be interested in a short-term fix short of disabling this rule if >> >> > possible... >> >> >> >> Short term solution of disabling the rule would be adding the >> >> following rule after the initial rule was created: >> >> >> >> SecRuleUpdateActionById 960034 >> >> >> > >> > Thanks Josh. >> > >> > I tried adding this to my VirtualHost definition: >> > >> > SecRuleUpdateActionById 960034 allow >> > >> > I'm not really clear on what this gains me over doing a >> > SecRuleRemoveById. In any case, the deny seems to be still be >> > happening anyways. I'll have to re-read the docs on that particular >> > directive. >> > >> >> I'm sorry, your absolutely right, I meant to write SecRuleRemoveById. >> Did you add the SecRuleRemoveById after you included the core rule >> set? >> > >No, but I will. I was actually looking for a solution that didn't >involve disabling the rule (more along the lines of not populating >REQUEST_PROTOCOL with parameters from REQUEST_URI. > >Probably upgrading ModSec and CRS is the only way to achive that >though. Ray, I would suggest a conditional removal rather than a global one - SecRule REQUEST_FILENAME "@beginsWith /exchange/" "phase:1,t:none,nolog,pass,ctl:ruleRemoveById=960034" This rule will not check the HTTP protocol version on the OWA exchange URI. -Ryan This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. |