[mod-security-users] Usage of "SecRuleUpdateTargetById" in chained rules possible?
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
[mod-security-users] Usage of "SecRuleUpdateTargetById" in chained rules possible?
|
From: Rechtberger F. <fri...@wi...> - 2011-08-31 11:35:51
|
Hi,
Is it possible to use "ctl:ruleUpdateTargetById" or
"SecRuleUpdateTargetById" in chained Rules?
I want to remove ARGS:text from the target of the second rule in the
rule '950801' chain.
Exception Rule:
---------------
SecRule REQUEST_BASENAME "@rx (?i)message.php"
"phase:1,t:none,log,pass,ctl:ruleUpdateTargetById=950801;!ARGS:text"
950801 CRS-Rule:
-----------------
SecRule TX:CRS_VALIDATE_UTF8_ENCODING "@eq 1"
"chain,phase:2,rev:'2.2.1',t:none,block,msg:'UTF8 Encoding Abuse Attack
Attempt',id:'950801',tag:'PROTOCOL_VIOLATION/EVASION',tag:'WASCTC/WASC-2
0',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/EE2',tag:'PCI/6.5.2',sever
ity:'5'"
SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES "@validateUtf8Encoding"
"setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.notice_anomal
y_score},setvar:tx.protocol_violation_score=+%{tx.notice_anomaly_score},
setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/EVASION-%{matched_var_name}=%{ma
tched_var}"
Best Regards
Fritz
|