Re: [mod-security-users] Use of regex in SecRuleUpdateTargetById ?
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] Use of regex in SecRuleUpdateTargetById ?
|
From: Ryan B. <RBa...@tr...> - 2012-01-21 02:02:14
|
If you want to use a regex for the variable collection item, you must use forward slashes like this - SecRuleUpdateTargetById 981173 "!ARGS_NAMES:/-search-form:/" Ryan On Jan 20, 2012, at 8:01 PM, "Todd Michael Bushnell" <to...@to...> wrote: > I have a pile of false positives impacting a 10+ ARGS_NAMES with a pretty similar pattern. > > Example: > > at ARGS_NAMES:job-search-forms:foo-bar. > at ARGS_NAMES:name-search-forms:bar-baz. > ... > > My plan was to do something like this: > > SecRuleUpdateTargetById 981173 "!ARGS_NAMES:.*-search-form.*" > > but that doesn't seem to work. The manual didn't indicate that regex could be used with SecRuleUpdateTargetById, but I was hoping I could pull something like this off. We're talking about 10 patterns, each of which is tripping 6 or so Rules so I'd prefer not to list individually if I can help it. Any shortcuts appreciated. Thanks. > > todd > > > > > ------------------------------------------------------------------------------ > Try before you buy = See our experts in action! > The most comprehensive online learning library for Microsoft developers > is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, > Metro Style Apps, more. Free future releases when you subscribe now! > http://p.sf.net/sfu/learndevnow-dev2 > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ > This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. |