[mod-security-users] RuleRemoveTargetById for a regexp'able list of ARGS
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
[mod-security-users] RuleRemoveTargetById for a regexp'able list of ARGS
|
From: Elmar K. B. <el...@no...> - 2015-08-20 13:42:52
|
Guys,
I have a rather peculiar problem (who could have guessed)...
We're using the OWASP rules, as most people, I guess, and they do of course fire
on our "ARGS:translation0..." parameters, since those are designed to contain
"foreign characters". So far, so good. Or not. Sounds simple, right?
Now I need to explicitly whitelist those parameters. I was about to try
SecRule REQUEST_FILENAME "^/<whatever-endpoint>$" \
"phase:2,id:'xxxxx',pass,ctl:RuleRemoveTargetById=900000-999999;ARGS:/translation.*/"
... but I got stopped by lightheartedly googling away and finding out that
regexps are not implemented for RuleRemoveTargetById.
Can anybody hint to how to get this done in a way that is more elegant than
having 50 (or 60 or 70) SecRule entries matching a REQUEST_FILENAME regexp and
then RuleRemoveTargetById'ing translationXX (which would also mean quite a
performance hit, I guess)?
One idea would have been to use a transformation function that would zap the
contents, but such transformation does not exist and thus would have to be
programmed, compiled to a module and included.
So if there is an easier way, please help me out.
Thank you,
Elmar.
|
