Re: [mod-security-users] Conditional SecRuleRemoveById

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Definitely! We heavily use this in our "default deny" framework: we 
block everything and open things in locations (via macros);
This allows a real "default deny" Approach with proper management.
Ex:
<Location /myapp>
  Use FrameworkDotNetMVC
  Use FrameworkJquery
  Use GoogleApi
  Use GoogleAnalytics
</Location>
In the above example, the macro FrameworkDotNetMVC will contain a lot of 
SecRuleRemoveById corresponding to the .NET framework, MVC.NET, plus 
some specific rules for IIS, etc.

And this works in production for more than 15 years ;-)

On 19-12-17 09:01, Christian Folini wrote:
> Marks,
>
> Seriously, this works? Awesome.
>
> I never do Locations but maybe that's a mistake.
>
> Thanks for correcting me.
>
> Christian
>
> On Tue, Dec 19, 2017 at 08:19:14AM +0100, Marc Stern wrote:
>> The following works:
>> <Location /assistancecheck/sendddocument.php>
>>             SecRuleRemoveById 210220
>>             SecRuleRemoveById 210240
>> </Location>
>>
>> This is because a separate context is built for each location at config time
>>
>> On 19-12-17 08:12, Christian Folini wrote:
>>> Hey Ed,
>>>
>>> Sorry, this won't work.
>>>
>>> Reason being SecRuleRemoveById is a startup / config time directive. It
>>> removes the rule from the list of rules at the startup of the server.
>>> The directive is not evaluated during the handling of the requests.
>>>
>>> What you want is to apply the exclusion conditionally at runtime. That's what
>>> the ctl:ruleRemoveById action (and friends) are here for.
>>>
>>> The details are described in a certain detail in my tutorial at
>>> https://www.netnea.com/cms/apache-tutorial-7_including-modsecurity-core-rules/
>>> in step 7 and 8. Plus a handy cheatsheet near the end of the guide.
>>>
>>> Hope this helps.
>>>
>>> Christian
>>>
>>>
>>> On Mon, Dec 18, 2017 at 06:06:02PM +0000, Ed Greenberg wrote:
>>>>      I'm trying to remove a rule for only one page.
>>>>
>>>>      Does this look correct?
>>>>
>>>>      <Directory "/var/www/html/assistancecheck">
>>>>
>>>>          <Files "sendddocument.php">
>>>>
>>>>              SecRuleRemoveById 210220
>>>>
>>>>              SecRuleRemoveById 210240
>>>>
>>>>          </Files>
>>>>
>>>>      </Directory>
>>>>
>>>>      When I make it unconditional, it works.
>>>>
>>>>      Thanks
>>>>
>>>> --
>>>>
>>>>      Ed Greenberg  |  Web Developer and LInux System Administrator
>>>>      __________________________________________________________________
>>>>
>>>>      HAPPY Software, Inc. l  Work HAPPY-er!
>>>>      t. 888-484-2779  l  f. 518-584-5388
>>>>      This message and any of its attachments are intended only for the use
>>>>      of the designated recipient, or the recipient’s designee, and may
>>>>      contain information that is confidential or privileged. If you are not
>>>>      the intended recipient, please immediately notify HAPPY Software, Inc.,
>>>>      delete all copies of the message and any attachments and do not
>>>>      disseminate or make any use of their contents.
>>>> ------------------------------------------------------------------------------
>>>> Check out the vibrant tech community on one of the world's most
>>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>>>> _______________________________________________
>>>> mod-security-users mailing list
>>>> mod...@li...
>>>> https://lists.sourceforge.net/lists/listinfo/mod-security-users
>>>> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
>>>> http://www.modsecurity.org/projects/commercial/rules/
>>>> http://www.modsecurity.org/projects/commercial/support/
>>
>> ------------------------------------------------------------------------------
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>> _______________________________________________
>> mod-security-users mailing list
>> mod...@li...
>> https://lists.sourceforge.net/lists/listinfo/mod-security-users
>> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
>> http://www.modsecurity.org/projects/commercial/rules/
>> http://www.modsecurity.org/projects/commercial/support/