[mod-security-users] Usage of "SecRuleUpdateTargetById" in chained rules possible?
Brought to you by:
victorhora,
zimmerletw
From: Rechtberger F. <fri...@wi...> - 2011-08-31 11:35:51
|
Hi, Is it possible to use "ctl:ruleUpdateTargetById" or "SecRuleUpdateTargetById" in chained Rules? I want to remove ARGS:text from the target of the second rule in the rule '950801' chain. Exception Rule: --------------- SecRule REQUEST_BASENAME "@rx (?i)message.php" "phase:1,t:none,log,pass,ctl:ruleUpdateTargetById=950801;!ARGS:text" 950801 CRS-Rule: ----------------- SecRule TX:CRS_VALIDATE_UTF8_ENCODING "@eq 1" "chain,phase:2,rev:'2.2.1',t:none,block,msg:'UTF8 Encoding Abuse Attack Attempt',id:'950801',tag:'PROTOCOL_VIOLATION/EVASION',tag:'WASCTC/WASC-2 0',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/EE2',tag:'PCI/6.5.2',sever ity:'5'" SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES "@validateUtf8Encoding" "setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.notice_anomal y_score},setvar:tx.protocol_violation_score=+%{tx.notice_anomaly_score}, setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/EVASION-%{matched_var_name}=%{ma tched_var}" Best Regards Fritz |