Re: [mod-security-users] base64Decode
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] base64Decode
|
From: SR <hec...@op...> - 2007-07-12 16:09:22
|
Hi, thank you for answering so fast. All this 'transformation'-thing is much clearer now. > The lowercase transformation function is breaking the Base64 encoded > data as it is case sensitive. This is a great example of the additive > nature of inherited transformation function values. I thought it works like this: Each value (to be checked) will be transformed by the first function and then checked against the rule. Then the _initial_ value is transfomed using the second function and checked once again. Didn't get the point that the transformations are working in a pipe and only the end result will be checked by the rule. I was completely wrong :( > I am guessing that you updated Core Rule ID 950004 and added the No I did it the fatal way. I added t:base64Decode to the default action in modsecurity_crs_40_generic_attacks.conf > If you want to use the base64Decode transformation function, then you > will need to first specify "t:none" in the action portion of your rule > (to clear out the inherited data) and then explicitly specify your own > (excluding t:lowercase). Good advice, thanks. > Hope this helps. Yes of course! Thank you very much! Regards, SR |
