[mod-security-users] How ignore static content? - OWASP/CRS
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
[mod-security-users] How ignore static content? - OWASP/CRS
|
From: Cristiano G. <cri...@gm...> - 2016-07-15 15:36:17
|
Hi there, I'm using CRS 2.2.8 and activated all base_rules and optional_rules/ *modsecurity_crs_10_ignore_static.conf*, but also match events in static content. FILE *modsecurity_crs_10_ignore_static.conf:* SecRule REQUEST_METHOD "^(?:GET|HEAD)$" "chain,phase:2,t:none,skip:1,pass,nolog,id:'900040',severity:'6'" SecRule &ARGS "@eq 0" "t:none,setvar:tx.no_parameters=1" SecAction "phase:2,id:'900041',t:none,nolog,pass,skipAfter:END_STATIC_CONTENT_CHECK" SecRule REQUEST_FILENAME "\.(?:(?:jpe?|pn)g|gif|ico)$" "phase:2,t:none,t:lowercase,allow,nolog,id:'900042',severity:'6'" SecRule REQUEST_FILENAME "\.(?:doc|pdf|txt|xls)$" "phase:2,t:none,t:lowercase,setvar:tx.text_file_extension=1,allow:phase,nolog,id:'900043',severity:'6'" SecRule REQUEST_FILENAME "\.(?:(?:cs|j)s|html?)$" "phase:2,t:none,t:lowercase,setvar:tx.text_file_extension=1,allow:phase,nolog,id:'999005',severity:'6'" SecRule REQUEST_FILENAME "\.(?:mp(?:e?g|3)|avi|flv|swf|wma)$" "phase:2,t:none,t:lowercase,allow,nolog,id:'999006',severity:'6'" SecMarker END_STATIC_CONTENT_CHECK *Example of request (Match rule 958291 [**Range: field exists and begins with 0])*: GET /media/191.mp3? HTTP/1.1 Host: site.host.com.br Connection: keep-alive Accept-Encoding: identity;q=1, *;q=0 User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36 Accept: */* Referer: https://site.host.com.br/diope.jsf Accept-Language: pt-BR,pt;q=0.8,en-US;q=0.6,en;q=0.4 Cookie: JSESSIONID=session.undefined *Range: bytes=0-* *Example of request (Match rule 960015 [**Request Missing an Accept Header])*: GET /img/icone/icon.ico? HTTP/1.1 Host: site.host.com.br Connection: keep-alive User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 9_3_2 like Mac OS X) AppleWebKit/601.1 (KHTML, like Gecko) CriOS/51.0.2704.104 Mobile/13F69 Safari/601.1.46 Accept-Encoding: gzip, deflate, sdch Accept-Language: pt-BR,pt;q=0.8,en-US;q=0.6,en;q=0.4 If-None-Match: W/"2238-1467411300000" If-Modified-Since: Fri, 01 Jul 2016 22:15:00 GMT How definitely ignore static content? Best regards, -- Cristiano Galdino - cri...@ga... http://cristiano.galdino.net |
