Re: [mod-security-users] Filter question

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Gerwin Krist -|- Digitalus Webhosting wrote:
> Hello guys,
> 
> I want the following filter but i can't figger it out exactly.
> I want to check ARGS if there is http:// in it AND .txt OR.jpg OR .gif.
> so it should match on all: 
> id=http://www.ddddd.br/dc.jpg
> id=http://www.ddddd.br/dc.txt
> id=http://www.ddddd.br/dc.jpg
> 
> What should be the filter code to use?

  Try something like this:

  SecFilterSelective ARGS "(http:/).+(\.txt|\.jpg|\.gif)"
                                ^1     ^2

  1. Anti-evasion techniques mod_security uses will compress multiple
     forward slash characters to only one.

  2. Because the dot character has a special meaning in regular
     expressions you will want to escape it to neutralise it.

-- 
ModSecurity (http://www.modsecurity.org)
[ Open source IDS for Web applications ]