Re: [mod-security-users] REQUEST_COOKIES_NAMES:/regex/ does not work
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] REQUEST_COOKIES_NAMES:/regex/ does not work
|
From: Christian F. <chr...@ne...> - 2018-04-02 20:38:51
|
Hello Eric, On Mon, Apr 02, 2018 at 07:31:14PM +0000, Eric Wheeler wrote: > We have tried the following, but none have worked: > > SecRuleUpdateTargetById 1234123413 "!REQUEST_COOKIES_NAMES:/_gac_UA-5521579-1/" > SecRuleUpdateTargetById 1234123413 "!REQUEST_COOKIES:/_gac_UA-5521579-1/" > > SecRuleUpdateTargetById 1234123413 "!REQUEST_HEADERS:/_gac_UA-5521579-1/" > > SecRuleUpdateTargetById 1234123413 "!REQUEST_COOKIES_NAMES:_gac_UA-5521579-1" > SecRuleUpdateTargetById 1234123413 "!REQUEST_COOKIES:_gac_UA-5521579-1" > > > Interestingly, these two work, but are of course too permissive: > > SecRuleUpdateTargetById 1234123413 "!REQUEST_HEADERS:/./" > SecRuleUpdateTargetById 1234123413 "!REQUEST_HEADERS:Cookie" If SecRuleUpdateTargetById 1234123413 "!REQUEST_HEADERS:/./" works, it's undocumented behaviour. This does not really support regexes. However, this is meant to work: SecRuleUpdateTargetById 1234123413 "!REQUEST_COOKIES:_gac_UA-5521579-1" Could you please raise your ModSec Debug level to 9 and check what is going on? You should see this cookied added to an ignore list and then when 1234123413 is being executed, it should be removed from the list of targets for the rule. If it really does not work, you might have to do a runtime rule exclusion via a ctl statement. Ahoj, Christian -- Integrity without knowledge is weak and useless, and knowledge without integrity is dangerous and dreadful. -- Samuel Johnson |
