Re: [mod-security-users] Turning off the audit engine for a parameter
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] Turning off the audit engine for a parameter
|
From: Peter B. <pet...@gm...> - 2011-10-12 10:56:51
|
Hello, My intention is to skip checking of the "claim" variable. It's a text area and I get lots of false positives (XSS, SQL injection). The "claim" text area is free to contain anything, we don't care about it. And I found that removing rules with ruleUpdateTargetById is tedious, because of the many rules. On Wed, Oct 12, 2011 at 12:51, Christian Bockermann <ch...@jw...> wrote: > Hi Peter, > > can you perhaps explain what your intention is with that? Do you want > to exclude the POST variable "claim" from being logged? Then maybe the > "sanitiseArgs" action is appropriate for you: > > SecRule REQUEST_URI "@streq /claim/Claim.asp" "phase:1,sanitiseArgs:claim" > > This should replace the value of "claim" with "***". > > Other than that, a removal of variables from the audit-log is not supported. > > Regards, > Chris > > > Am 12.10.2011 um 11:47 schrieb Peter BARABAS: > >> Hello, >> >> >> Is there a way to disable the engine only for a POST variable? >> >> The following doesn't work: >> >> SecRule REQUEST_URI "@streq /claim/Claim.asp" >> "phase:1,t:none,log,pass,ctl:auditEngine=Off;!ARGS:claim" >> >> I get a syntax error. >> >> Syntax error on line 9 of /etc/modsecurity/rules-enabled/local_exceptions.conf: >> Error parsing actions: Invalid setting for ctl name auditEngine: >> Off;!ARGS:claim >> >> I guess the auditEngine ctl doesn't allow parameters. >> >> Thanks in advance. >> >> >> -- >> '(Yours parenthetically >> "peter barabas") >> >> ------------------------------------------------------------------------------ >> All the data continuously generated in your IT infrastructure contains a >> definitive record of customers, application performance, security >> threats, fraudulent activity and more. Splunk takes this data and makes >> sense of it. Business sense. IT sense. Common sense. >> http://p.sf.net/sfu/splunk-d2d-oct >> _______________________________________________ >> mod-security-users mailing list >> mod...@li... >> https://lists.sourceforge.net/lists/listinfo/mod-security-users >> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >> http://www.modsecurity.org/projects/commercial/rules/ >> http://www.modsecurity.org/projects/commercial/support/ > > -- '(Yours parenthetically "peter barabas") |
