[mod-security-users] Trouble Removing a rule for ARGS_NAMES in phase:2
Brought to you by:
victorhora,
zimmerletw
From: Jason S. <js...@ac...> - 2013-10-16 15:05:37
|
I'm using ModSecurity module 2.7.5 for IIS7(.5) with ruleset 2.2.7. I have the following rules in modsecurity_crs_15_custom_rules.conf SecRule ARGS_NAMES "^(customerid|q)" "phase:2,pass,id:'90010', \ ctl:ruleRemoveById=960024, \ ctl:ruleRemoveById=981173" as well as: SecRule ARGS_NAMES "^(customerid|q)" "pass,id:'90011', \ ctl:ruleRemoveById=960024, \ ctl:ruleRemoveById=981173" Rule 90011 works well when the request is a GET (for example I just pass "?q=1-1-1-1-1-1" in the URL. But when I use the search function on the page (which results in a POST with q passed as "1-1-1-1-1-1", I would expect rule 90010 to trigger. It won't and I get caught by rule 981173. When I put debugging on in detection mode, I noticed that the trigger on 981173 ALWAYS happened before the trigger on 90010. (Like the 2 conf files are being processed in the wrong order?) I've also tried creating a file mod_security_crs_48_localexceptions.conf with the line: SecRuleUpdateTargetById 981173 "!ARGS:(customerid|q)" But that doesn't seem to work either. Any help would be greatly appreciated. Jason |