Thread: [mod-security-users] disable rule based on arg
Brought to you by:
victorhora,
zimmerletw
From: Leon B. <le...@ti...> - 2009-10-23 11:53:00
|
Hi all, I have this rule for mod_security2: SecRule ARGS|ARGS_NAMES "^http:/" But I would like to disable it if the "option" arg == 'com_resize' So if the request containst option=com_resize I would like to disable the above rule. I tried searching on google but I only found out how to disable specific rules for specific locations. Thanks in advance! Leon |
From: Christian B. <ch...@jw...> - 2009-10-24 11:08:01
|
Hi Leon, you could for instance use the "skip" action: SecRule ARGS:option "^com_resize$" "skip:1" SecRule ARGS|ARGS_NAMES "^http:/" The first rule should skip the evaluation of the second one if option=='com_resize'. As you second rule seems to watch for remote references, you may want to make sure to limit the possible allowed remote-references for requests containing "option=='com_resize'" instead of completely skipping this rule. Best regards, Chris Am 23.10.2009 um 13:39 schrieb Leon Bogaert: > Hi all, > > I have this rule for mod_security2: > SecRule ARGS|ARGS_NAMES "^http:/" > > But I would like to disable it if the "option" arg == 'com_resize' > So if the request containst option=com_resize I would like to > disable the above rule. > > I tried searching on google but I only found out how to disable > specific rules for specific locations. > > Thanks in advance! > > Leon > > ------------------------------------------------------------------------------ > Come build with us! The BlackBerry(R) Developer Conference in SF, CA > is the only developer event you need to attend this year. Jumpstart > your > developing skills, take BlackBerry mobile applications to market and > stay > ahead of the curve. Join us from November 9 - 12, 2009. Register now! > http://p.sf.net/sfu/devconference > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Appliances, Rule Sets and Support: > http://www.modsecurity.org/breach/index.html |
From: Leon B. <le...@ti...> - 2009-10-24 20:41:37
|
Hi Christian, Thank you very much! I'm gonna try this tomorrow! Leon ________________________________________ From: Christian Bockermann [ch...@jw...] Sent: 24 October 2009 13:07 To: Leon Bogaert Cc: mod...@li... Subject: Re: [mod-security-users] disable rule based on arg - Email found in subject Hi Leon, you could for instance use the "skip" action: SecRule ARGS:option "^com_resize$" "skip:1" SecRule ARGS|ARGS_NAMES "^http:/" The first rule should skip the evaluation of the second one if option=='com_resize'. As you second rule seems to watch for remote references, you may want to make sure to limit the possible allowed remote-references for requests containing "option=='com_resize'" instead of completely skipping this rule. Best regards, Chris Am 23.10.2009 um 13:39 schrieb Leon Bogaert: > Hi all, > > I have this rule for mod_security2: > SecRule ARGS|ARGS_NAMES "^http:/" > > But I would like to disable it if the "option" arg == 'com_resize' > So if the request containst option=com_resize I would like to > disable the above rule. > > I tried searching on google but I only found out how to disable > specific rules for specific locations. > > Thanks in advance! > > Leon > > ------------------------------------------------------------------------------ > Come build with us! The BlackBerry(R) Developer Conference in SF, CA > is the only developer event you need to attend this year. Jumpstart > your > developing skills, take BlackBerry mobile applications to market and > stay > ahead of the curve. Join us from November 9 - 12, 2009. Register now! > http://p.sf.net/sfu/devconference > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Appliances, Rule Sets and Support: > http://www.modsecurity.org/breach/index.html |
From: Brian R. <Bri...@br...> - 2009-10-24 21:20:38
|
Some other options: SecRule ARGS|ARGS_NAMES "^http:/" "chain,..." SecRule ARGS:option "!^com_resize$" NOTE: this may require option arg - I did not have time to verify OR SecRule ARGS:option "^com_resize$" "pass,nolog,phase:1,ctl:|ruleRemoveById=1234"| SecRule ARGS|ARGS_NAMES "^http:/" "id:1234,..." later, -B Leon Bogaert wrote: > Hi Christian, > > Thank you very much! I'm gonna try this tomorrow! > > Leon > > ________________________________________ > From: Christian Bockermann [ch...@jw...] > Sent: 24 October 2009 13:07 > To: Leon Bogaert > Cc: mod...@li... > Subject: Re: [mod-security-users] disable rule based on arg - Email found in subject > > Hi Leon, > > you could for instance use the "skip" action: > > SecRule ARGS:option "^com_resize$" "skip:1" > SecRule ARGS|ARGS_NAMES "^http:/" > > The first rule should skip the evaluation of the second one if > option=='com_resize'. > > As you second rule seems to watch for remote references, you may want > to make sure to limit > the possible allowed remote-references for requests containing > "option=='com_resize'" instead > of completely skipping this rule. > > Best regards, > Chris > > > Am 23.10.2009 um 13:39 schrieb Leon Bogaert: > > >> Hi all, >> >> I have this rule for mod_security2: >> SecRule ARGS|ARGS_NAMES "^http:/" >> >> But I would like to disable it if the "option" arg == 'com_resize' >> So if the request containst option=com_resize I would like to >> disable the above rule. >> >> I tried searching on google but I only found out how to disable >> specific rules for specific locations. >> >> Thanks in advance! >> >> Leon >> >> ------------------------------------------------------------------------------ >> Come build with us! The BlackBerry(R) Developer Conference in SF, CA >> is the only developer event you need to attend this year. Jumpstart >> your >> developing skills, take BlackBerry mobile applications to market and >> stay >> ahead of the curve. Join us from November 9 - 12, 2009. Register now! >> http://p.sf.net/sfu/devconference >> _______________________________________________ >> mod-security-users mailing list >> mod...@li... >> https://lists.sourceforge.net/lists/listinfo/mod-security-users >> Commercial ModSecurity Appliances, Rule Sets and Support: >> http://www.modsecurity.org/breach/index.html >> > > > ------------------------------------------------------------------------------ > Come build with us! The BlackBerry(R) Developer Conference in SF, CA > is the only developer event you need to attend this year. Jumpstart your > developing skills, take BlackBerry mobile applications to market and stay > ahead of the curve. Join us from November 9 - 12, 2009. Register now! > http://p.sf.net/sfu/devconference > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Appliances, Rule Sets and Support: > http://www.modsecurity.org/breach/index.html > -- Brian Rectanus Breach Security |
Re: [mod-security-users] disable rule based on arg - Email found in
subject - Email found in subject
From: Leon B. <le...@ti...> - 2009-10-24 23:40:52
|
Aaah thanks! I'm gonna try them both. At least now I know I have to search for "skip" and "chain". ________________________________________ From: Brian Rectanus [Bri...@br...] Sent: 24 October 2009 23:20 To: Leon Bogaert Cc: Christian Bockermann; mod...@li... Subject: Re: [mod-security-users] disable rule based on arg - Email found in subject - Email found in subject Some other options: SecRule ARGS|ARGS_NAMES "^http:/" "chain,..." SecRule ARGS:option "!^com_resize$" NOTE: this may require option arg - I did not have time to verify OR SecRule ARGS:option "^com_resize$" "pass,nolog,phase:1,ctl:ruleRemoveById=1234" SecRule ARGS|ARGS_NAMES "^http:/" "id:1234,..." later, -B Leon Bogaert wrote: Hi Christian, Thank you very much! I'm gonna try this tomorrow! Leon ________________________________________ From: Christian Bockermann [ch...@jw...<mailto:ch...@jw...>] Sent: 24 October 2009 13:07 To: Leon Bogaert Cc: mod...@li...<mailto:mod...@li...> Subject: Re: [mod-security-users] disable rule based on arg - Email found in subject Hi Leon, you could for instance use the "skip" action: SecRule ARGS:option "^com_resize$" "skip:1" SecRule ARGS|ARGS_NAMES "^http:/" The first rule should skip the evaluation of the second one if option=='com_resize'. As you second rule seems to watch for remote references, you may want to make sure to limit the possible allowed remote-references for requests containing "option=='com_resize'" instead of completely skipping this rule. Best regards, Chris Am 23.10.2009 um 13:39 schrieb Leon Bogaert: Hi all, I have this rule for mod_security2: SecRule ARGS|ARGS_NAMES "^http:/" But I would like to disable it if the "option" arg == 'com_resize' So if the request containst option=com_resize I would like to disable the above rule. I tried searching on google but I only found out how to disable specific rules for specific locations. Thanks in advance! Leon ------------------------------------------------------------------------------ Come build with us! The BlackBerry(R) Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9 - 12, 2009. Register now! http://p.sf.net/sfu/devconference _______________________________________________ mod-security-users mailing list mod...@li...<mailto:mod...@li...> https://lists.sourceforge.net/lists/listinfo/mod-security-users Commercial ModSecurity Appliances, Rule Sets and Support: http://www.modsecurity.org/breach/index.html ------------------------------------------------------------------------------ Come build with us! The BlackBerry(R) Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9 - 12, 2009. Register now! http://p.sf.net/sfu/devconference _______________________________________________ mod-security-users mailing list mod...@li...<mailto:mod...@li...> https://lists.sourceforge.net/lists/listinfo/mod-security-users Commercial ModSecurity Appliances, Rule Sets and Support: http://www.modsecurity.org/breach/index.html -- Brian Rectanus Breach Security |
Re: [mod-security-users] disable rule based on arg - Email found in
subject - Email found in subject
From: Leon B. <le...@ti...> - 2009-10-25 11:28:41
|
Hi Brian, The first rule indeed needs an option arg. Is it possible to chain another rule so the option arg is not required? I know have this: SecRule ARGS:option "^com_resize$" "pass,skip:1" SecRule ARGS|ARGS_NAMES "^http:/" But I like the syntax of the chain command better. Leon ________________________________________ From: Brian Rectanus [Bri...@br...] Sent: 24 October 2009 23:20 To: Leon Bogaert Cc: Christian Bockermann; mod...@li... Subject: Re: [mod-security-users] disable rule based on arg - Email found in subject - Email found in subject Some other options: SecRule ARGS|ARGS_NAMES "^http:/" "chain,..." SecRule ARGS:option "!^com_resize$" NOTE: this may require option arg - I did not have time to verify OR SecRule ARGS:option "^com_resize$" "pass,nolog,phase:1,ctl:ruleRemoveById=1234" SecRule ARGS|ARGS_NAMES "^http:/" "id:1234,..." later, -B Leon Bogaert wrote: Hi Christian, Thank you very much! I'm gonna try this tomorrow! Leon ________________________________________ From: Christian Bockermann [ch...@jw...<mailto:ch...@jw...>] Sent: 24 October 2009 13:07 To: Leon Bogaert Cc: mod...@li...<mailto:mod...@li...> Subject: Re: [mod-security-users] disable rule based on arg - Email found in subject Hi Leon, you could for instance use the "skip" action: SecRule ARGS:option "^com_resize$" "skip:1" SecRule ARGS|ARGS_NAMES "^http:/" The first rule should skip the evaluation of the second one if option=='com_resize'. As you second rule seems to watch for remote references, you may want to make sure to limit the possible allowed remote-references for requests containing "option=='com_resize'" instead of completely skipping this rule. Best regards, Chris Am 23.10.2009 um 13:39 schrieb Leon Bogaert: Hi all, I have this rule for mod_security2: SecRule ARGS|ARGS_NAMES "^http:/" But I would like to disable it if the "option" arg == 'com_resize' So if the request containst option=com_resize I would like to disable the above rule. I tried searching on google but I only found out how to disable specific rules for specific locations. Thanks in advance! Leon ------------------------------------------------------------------------------ Come build with us! The BlackBerry(R) Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9 - 12, 2009. Register now! http://p.sf.net/sfu/devconference _______________________________________________ mod-security-users mailing list mod...@li...<mailto:mod...@li...> https://lists.sourceforge.net/lists/listinfo/mod-security-users Commercial ModSecurity Appliances, Rule Sets and Support: http://www.modsecurity.org/breach/index.html ------------------------------------------------------------------------------ Come build with us! The BlackBerry(R) Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9 - 12, 2009. Register now! http://p.sf.net/sfu/devconference _______________________________________________ mod-security-users mailing list mod...@li...<mailto:mod...@li...> https://lists.sourceforge.net/lists/listinfo/mod-security-users Commercial ModSecurity Appliances, Rule Sets and Support: http://www.modsecurity.org/breach/index.html -- Brian Rectanus Breach Security |
Re: [mod-security-users] disable rule based on arg - Email found in
subject - Email found in subject
From: Brian R. <Bri...@br...> - 2009-10-25 19:15:47
|
No way to do that whiout a skip to emulate an OR operation. Did you see my other option as well? SecRule ARGS:option "^com_resize$" "pass,nolog,phase:1,ctl:ruleRemoveById=1234" SecRule ARGS|ARGS_NAMES "^http:/" "id:1234,..." -B Leon Bogaert wrote: > Hi Brian, > > The first rule indeed needs an option arg. > Is it possible to chain another rule so the option arg is not required? > > I know have this: > SecRule ARGS:option "^com_resize$" "pass,skip:1" > SecRule ARGS|ARGS_NAMES "^http:/" > > But I like the syntax of the chain command better. > > Leon > > ________________________________________ > From: Brian Rectanus [Bri...@br...] > Sent: 24 October 2009 23:20 > To: Leon Bogaert > Cc: Christian Bockermann; mod...@li... > Subject: Re: [mod-security-users] disable rule based on arg - Email found in subject - Email found in subject > > Some other options: > > > SecRule ARGS|ARGS_NAMES "^http:/" "chain,..." > SecRule ARGS:option "!^com_resize$" > > NOTE: this may require option arg - I did not have time to verify > > OR > > SecRule ARGS:option "^com_resize$" "pass,nolog,phase:1,ctl:ruleRemoveById=1234" > SecRule ARGS|ARGS_NAMES "^http:/" "id:1234,..." > > later, > -B > > > > Leon Bogaert wrote: > > Hi Christian, > > Thank you very much! I'm gonna try this tomorrow! > > Leon > > ________________________________________ > From: Christian Bockermann [ch...@jw...<mailto:ch...@jw...>] > Sent: 24 October 2009 13:07 > To: Leon Bogaert > Cc: mod...@li...<mailto:mod...@li...> > Subject: Re: [mod-security-users] disable rule based on arg - Email found in subject > > Hi Leon, > > you could for instance use the "skip" action: > > SecRule ARGS:option "^com_resize$" "skip:1" > SecRule ARGS|ARGS_NAMES "^http:/" > > The first rule should skip the evaluation of the second one if > option=='com_resize'. > > As you second rule seems to watch for remote references, you may want > to make sure to limit > the possible allowed remote-references for requests containing > "option=='com_resize'" instead > of completely skipping this rule. > > Best regards, > Chris > > > Am 23.10.2009 um 13:39 schrieb Leon Bogaert: > > > > Hi all, > > I have this rule for mod_security2: > SecRule ARGS|ARGS_NAMES "^http:/" > > But I would like to disable it if the "option" arg == 'com_resize' > So if the request containst option=com_resize I would like to > disable the above rule. > > I tried searching on google but I only found out how to disable > specific rules for specific locations. > > Thanks in advance! > > Leon > > ------------------------------------------------------------------------------ > Come build with us! The BlackBerry(R) Developer Conference in SF, CA > is the only developer event you need to attend this year. Jumpstart > your > developing skills, take BlackBerry mobile applications to market and > stay > ahead of the curve. Join us from November 9 - 12, 2009. Register now! > http://p.sf.net/sfu/devconference > _______________________________________________ > mod-security-users mailing list > mod...@li...<mailto:mod...@li...> > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Appliances, Rule Sets and Support: > http://www.modsecurity.org/breach/index.html > > > > > ------------------------------------------------------------------------------ > Come build with us! The BlackBerry(R) Developer Conference in SF, CA > is the only developer event you need to attend this year. Jumpstart your > developing skills, take BlackBerry mobile applications to market and stay > ahead of the curve. Join us from November 9 - 12, 2009. Register now! > http://p.sf.net/sfu/devconference > _______________________________________________ > mod-security-users mailing list > mod...@li...<mailto:mod...@li...> > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Appliances, Rule Sets and Support: > http://www.modsecurity.org/breach/index.html > > > > -- > Brian Rectanus > Breach Security > > -- Brian Rectanus Breach Security |
Re: [mod-security-users] disable rule based on arg - Email found in
subject - Email found in subject
From: Leon B. <le...@ti...> - 2009-10-28 17:22:14
|
Hi Brian, I've now used the ruleRemoveById option. It's the most clean for now. Another question: can I used something like {HTTP_HOST} in the regex? Leon ________________________________________ From: Brian Rectanus [Bri...@br...] Sent: 25 October 2009 20:15 To: Leon Bogaert Cc: Christian Bockermann; mod...@li... Subject: Re: [mod-security-users] disable rule based on arg - Email found in subject - Email found in subject No way to do that whiout a skip to emulate an OR operation. Did you see my other option as well? SecRule ARGS:option "^com_resize$" "pass,nolog,phase:1,ctl:ruleRemoveById=1234" SecRule ARGS|ARGS_NAMES "^http:/" "id:1234,..." -B Leon Bogaert wrote: > Hi Brian, > > The first rule indeed needs an option arg. > Is it possible to chain another rule so the option arg is not required? > > I know have this: > SecRule ARGS:option "^com_resize$" "pass,skip:1" > SecRule ARGS|ARGS_NAMES "^http:/" > > But I like the syntax of the chain command better. > > Leon > > ________________________________________ > From: Brian Rectanus [Bri...@br...] > Sent: 24 October 2009 23:20 > To: Leon Bogaert > Cc: Christian Bockermann; mod...@li... > Subject: Re: [mod-security-users] disable rule based on arg - Email found in subject - Email found in subject > > Some other options: > > > SecRule ARGS|ARGS_NAMES "^http:/" "chain,..." > SecRule ARGS:option "!^com_resize$" > > NOTE: this may require option arg - I did not have time to verify > > OR > > SecRule ARGS:option "^com_resize$" "pass,nolog,phase:1,ctl:ruleRemoveById=1234" > SecRule ARGS|ARGS_NAMES "^http:/" "id:1234,..." > > later, > -B > > > > Leon Bogaert wrote: > > Hi Christian, > > Thank you very much! I'm gonna try this tomorrow! > > Leon > > ________________________________________ > From: Christian Bockermann [ch...@jw...<mailto:ch...@jw...>] > Sent: 24 October 2009 13:07 > To: Leon Bogaert > Cc: mod...@li...<mailto:mod...@li...> > Subject: Re: [mod-security-users] disable rule based on arg - Email found in subject > > Hi Leon, > > you could for instance use the "skip" action: > > SecRule ARGS:option "^com_resize$" "skip:1" > SecRule ARGS|ARGS_NAMES "^http:/" > > The first rule should skip the evaluation of the second one if > option=='com_resize'. > > As you second rule seems to watch for remote references, you may want > to make sure to limit > the possible allowed remote-references for requests containing > "option=='com_resize'" instead > of completely skipping this rule. > > Best regards, > Chris > > > Am 23.10.2009 um 13:39 schrieb Leon Bogaert: > > > > Hi all, > > I have this rule for mod_security2: > SecRule ARGS|ARGS_NAMES "^http:/" > > But I would like to disable it if the "option" arg == 'com_resize' > So if the request containst option=com_resize I would like to > disable the above rule. > > I tried searching on google but I only found out how to disable > specific rules for specific locations. > > Thanks in advance! > > Leon > > ------------------------------------------------------------------------------ > Come build with us! The BlackBerry(R) Developer Conference in SF, CA > is the only developer event you need to attend this year. Jumpstart > your > developing skills, take BlackBerry mobile applications to market and > stay > ahead of the curve. Join us from November 9 - 12, 2009. Register now! > http://p.sf.net/sfu/devconference > _______________________________________________ > mod-security-users mailing list > mod...@li...<mailto:mod...@li...> > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Appliances, Rule Sets and Support: > http://www.modsecurity.org/breach/index.html > > > > > ------------------------------------------------------------------------------ > Come build with us! The BlackBerry(R) Developer Conference in SF, CA > is the only developer event you need to attend this year. Jumpstart your > developing skills, take BlackBerry mobile applications to market and stay > ahead of the curve. Join us from November 9 - 12, 2009. Register now! > http://p.sf.net/sfu/devconference > _______________________________________________ > mod-security-users mailing list > mod...@li...<mailto:mod...@li...> > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Appliances, Rule Sets and Support: > http://www.modsecurity.org/breach/index.html > > > > -- > Brian Rectanus > Breach Security > > -- Brian Rectanus Breach Security |
Re: [mod-security-users] disable rule based on arg - Email found in
subject - Email found in subject
From: Brian R. <Bri...@br...> - 2009-10-28 18:02:38
|
By {HTTP_HOST} you mean as a macro expansion? No, because the regexes are pre-compiled at configuration time so they are faster. You can use them in the string/math operators. Examples: "@beginsWith http://%{REQUEST_HEADERS.Host}" "@contains %{REQUEST_HEADERS.Host}" "@gt %{TX.limit}" -B Leon Bogaert wrote: > Hi Brian, > > I've now used the ruleRemoveById option. It's the most clean for now. > Another question: can I used something like {HTTP_HOST} in the regex? > > Leon > > ________________________________________ > From: Brian Rectanus [Bri...@br...] > Sent: 25 October 2009 20:15 > To: Leon Bogaert > Cc: Christian Bockermann; mod...@li... > Subject: Re: [mod-security-users] disable rule based on arg - Email found in subject - Email found in subject > > No way to do that whiout a skip to emulate an OR operation. Did you see > my other option as well? > > SecRule ARGS:option "^com_resize$" > "pass,nolog,phase:1,ctl:ruleRemoveById=1234" > SecRule ARGS|ARGS_NAMES "^http:/" "id:1234,..." > > -B > > Leon Bogaert wrote: > >> Hi Brian, >> >> The first rule indeed needs an option arg. >> Is it possible to chain another rule so the option arg is not required? >> >> I know have this: >> SecRule ARGS:option "^com_resize$" "pass,skip:1" >> SecRule ARGS|ARGS_NAMES "^http:/" >> >> But I like the syntax of the chain command better. >> >> Leon >> >> ________________________________________ >> From: Brian Rectanus [Bri...@br...] >> Sent: 24 October 2009 23:20 >> To: Leon Bogaert >> Cc: Christian Bockermann; mod...@li... >> Subject: Re: [mod-security-users] disable rule based on arg - Email found in subject - Email found in subject >> >> Some other options: >> >> >> SecRule ARGS|ARGS_NAMES "^http:/" "chain,..." >> SecRule ARGS:option "!^com_resize$" >> >> NOTE: this may require option arg - I did not have time to verify >> >> OR >> >> SecRule ARGS:option "^com_resize$" "pass,nolog,phase:1,ctl:ruleRemoveById=1234" >> SecRule ARGS|ARGS_NAMES "^http:/" "id:1234,..." >> >> later, >> -B >> >> >> >> Leon Bogaert wrote: >> >> Hi Christian, >> >> Thank you very much! I'm gonna try this tomorrow! >> >> Leon >> >> ________________________________________ >> From: Christian Bockermann [ch...@jw...<mailto:ch...@jw...>] >> Sent: 24 October 2009 13:07 >> To: Leon Bogaert >> Cc: mod...@li...<mailto:mod...@li...> >> Subject: Re: [mod-security-users] disable rule based on arg - Email found in subject >> >> Hi Leon, >> >> you could for instance use the "skip" action: >> >> SecRule ARGS:option "^com_resize$" "skip:1" >> SecRule ARGS|ARGS_NAMES "^http:/" >> >> The first rule should skip the evaluation of the second one if >> option=='com_resize'. >> >> As you second rule seems to watch for remote references, you may want >> to make sure to limit >> the possible allowed remote-references for requests containing >> "option=='com_resize'" instead >> of completely skipping this rule. >> >> Best regards, >> Chris >> >> >> Am 23.10.2009 um 13:39 schrieb Leon Bogaert: >> >> >> >> Hi all, >> >> I have this rule for mod_security2: >> SecRule ARGS|ARGS_NAMES "^http:/" >> >> But I would like to disable it if the "option" arg == 'com_resize' >> So if the request containst option=com_resize I would like to >> disable the above rule. >> >> I tried searching on google but I only found out how to disable >> specific rules for specific locations. >> >> Thanks in advance! >> >> Leon >> >> ------------------------------------------------------------------------------ >> Come build with us! The BlackBerry(R) Developer Conference in SF, CA >> is the only developer event you need to attend this year. Jumpstart >> your >> developing skills, take BlackBerry mobile applications to market and >> stay >> ahead of the curve. Join us from November 9 - 12, 2009. Register now! >> http://p.sf.net/sfu/devconference >> _______________________________________________ >> mod-security-users mailing list >> mod...@li...<mailto:mod...@li...> >> https://lists.sourceforge.net/lists/listinfo/mod-security-users >> Commercial ModSecurity Appliances, Rule Sets and Support: >> http://www.modsecurity.org/breach/index.html >> >> >> >> >> ------------------------------------------------------------------------------ >> Come build with us! The BlackBerry(R) Developer Conference in SF, CA >> is the only developer event you need to attend this year. Jumpstart your >> developing skills, take BlackBerry mobile applications to market and stay >> ahead of the curve. Join us from November 9 - 12, 2009. Register now! >> http://p.sf.net/sfu/devconference >> _______________________________________________ >> mod-security-users mailing list >> mod...@li...<mailto:mod...@li...> >> https://lists.sourceforge.net/lists/listinfo/mod-security-users >> Commercial ModSecurity Appliances, Rule Sets and Support: >> http://www.modsecurity.org/breach/index.html >> >> >> >> -- >> Brian Rectanus >> Breach Security >> >> >> > > -- > Brian Rectanus > Breach Security > -- Brian Rectanus Breach Security |
Re: [mod-security-users] disable rule based on arg - Email found in
subject - Email found in subject
From: Leon B. <le...@ti...> - 2009-10-29 09:45:18
|
Hi Brian, Thanks again. You're my hero of the day! :p Leon ________________________________________ From: Brian Rectanus [Bri...@br...] Sent: 28 October 2009 19:02 To: Leon Bogaert Cc: Christian Bockermann; mod...@li... Subject: Re: [mod-security-users] disable rule based on arg - Email found in subject - Email found in subject By {HTTP_HOST} you mean as a macro expansion? No, because the regexes are pre-compiled at configuration time so they are faster. You can use them in the string/math operators. Examples: "@beginsWith http://%{REQUEST_HEADERS.Host}" "@contains %{REQUEST_HEADERS.Host}" "@gt %{TX.limit}" -B Leon Bogaert wrote: Hi Brian, I've now used the ruleRemoveById option. It's the most clean for now. Another question: can I used something like {HTTP_HOST} in the regex? Leon ________________________________________ From: Brian Rectanus [Bri...@br...<mailto:Bri...@br...>] Sent: 25 October 2009 20:15 To: Leon Bogaert Cc: Christian Bockermann; mod...@li...<mailto:mod...@li...> Subject: Re: [mod-security-users] disable rule based on arg - Email found in subject - Email found in subject No way to do that whiout a skip to emulate an OR operation. Did you see my other option as well? SecRule ARGS:option "^com_resize$" "pass,nolog,phase:1,ctl:ruleRemoveById=1234" SecRule ARGS|ARGS_NAMES "^http:/" "id:1234,..." -B Leon Bogaert wrote: Hi Brian, The first rule indeed needs an option arg. Is it possible to chain another rule so the option arg is not required? I know have this: SecRule ARGS:option "^com_resize$" "pass,skip:1" SecRule ARGS|ARGS_NAMES "^http:/" But I like the syntax of the chain command better. Leon ________________________________________ From: Brian Rectanus [Bri...@br...<mailto:Bri...@br...>] Sent: 24 October 2009 23:20 To: Leon Bogaert Cc: Christian Bockermann; mod...@li...<mailto:mod...@li...> Subject: Re: [mod-security-users] disable rule based on arg - Email found in subject - Email found in subject Some other options: SecRule ARGS|ARGS_NAMES "^http:/" "chain,..." SecRule ARGS:option "!^com_resize$" NOTE: this may require option arg - I did not have time to verify OR SecRule ARGS:option "^com_resize$" "pass,nolog,phase:1,ctl:ruleRemoveById=1234" SecRule ARGS|ARGS_NAMES "^http:/" "id:1234,..." later, -B Leon Bogaert wrote: Hi Christian, Thank you very much! I'm gonna try this tomorrow! Leon ________________________________________ From: Christian Bockermann [ch...@jw...<mailto:ch...@jw...><mailto:ch...@jw...><mailto:ch...@jw...>] Sent: 24 October 2009 13:07 To: Leon Bogaert Cc: mod...@li...<mailto:mod...@li...><mailto:mod...@li...><mailto:mod...@li...> Subject: Re: [mod-security-users] disable rule based on arg - Email found in subject Hi Leon, you could for instance use the "skip" action: SecRule ARGS:option "^com_resize$" "skip:1" SecRule ARGS|ARGS_NAMES "^http:/" The first rule should skip the evaluation of the second one if option=='com_resize'. As you second rule seems to watch for remote references, you may want to make sure to limit the possible allowed remote-references for requests containing "option=='com_resize'" instead of completely skipping this rule. Best regards, Chris Am 23.10.2009 um 13:39 schrieb Leon Bogaert: Hi all, I have this rule for mod_security2: SecRule ARGS|ARGS_NAMES "^http:/" But I would like to disable it if the "option" arg == 'com_resize' So if the request containst option=com_resize I would like to disable the above rule. I tried searching on google but I only found out how to disable specific rules for specific locations. Thanks in advance! Leon ------------------------------------------------------------------------------ Come build with us! The BlackBerry(R) Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9 - 12, 2009. Register now! http://p.sf.net/sfu/devconference _______________________________________________ mod-security-users mailing list mod...@li...<mailto:mod...@li...><mailto:mod...@li...><mailto:mod...@li...> https://lists.sourceforge.net/lists/listinfo/mod-security-users Commercial ModSecurity Appliances, Rule Sets and Support: http://www.modsecurity.org/breach/index.html ------------------------------------------------------------------------------ Come build with us! The BlackBerry(R) Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9 - 12, 2009. Register now! http://p.sf.net/sfu/devconference _______________________________________________ mod-security-users mailing list mod...@li...<mailto:mod...@li...><mailto:mod...@li...><mailto:mod...@li...> https://lists.sourceforge.net/lists/listinfo/mod-security-users Commercial ModSecurity Appliances, Rule Sets and Support: http://www.modsecurity.org/breach/index.html -- Brian Rectanus Breach Security -- Brian Rectanus Breach Security -- Brian Rectanus Breach Security |