mod-security-users

[mod-security-users] Make rule log instead of block at runtime

[Dominik S. <Dom...@sy...>]

Hi there,

I can whitelist a rule (e. g., from the CRS) for a specific URL like so:

SecRule REQUEST_URI "@beginsWith /fileupload/" "id:1920120,phase:1,nolog,pass,ctl:ruleRemoveById=920120"

Is there a way to not remove the rule entirely, but just make it log instead of block? The only way I found was to copy and doctor the entire rule, which is hard to maintain.

The use case is: Users sometimes upload files with weird names. I want to allow this, but still see it in the logs.

Many thanks,
Dominik

-- 
Unsere Grundsätze zur Datenverarbeitung finden Sie unter: https://www.syracom.de/footernavi/grundsaetze-der-datenverarbeitung-bei-der-syracom-ag.html

Re: [mod-security-users] Make rule log instead of block at runtime

[Manuel S. <spa...@gm...>]

Hi Dominik you can use SecRuleUpdateActionById to modify rule action on preexistent rules without removing them.

Regards,
Manuel

Sent from my iPhone

> On Nov 20, 2019, at 5:20 AM, Dominik Strecker <Dom...@sy...> wrote:
> 
> Hi there,
> 
> I can whitelist a rule (e. g., from the CRS) for a specific URL like so:
> 
> SecRule REQUEST_URI "@beginsWith /fileupload/" "id:1920120,phase:1,nolog,pass,ctl:ruleRemoveById=920120"
> 
> Is there a way to not remove the rule entirely, but just make it log instead of block? The only way I found was to copy and doctor the entire rule, which is hard to maintain.
> 
> The use case is: Users sometimes upload files with weird names. I want to allow this, but still see it in the logs.
> 
> Many thanks,
> Dominik
> -- 
> Unsere Grundsätze zur Datenverarbeitung finden Sie unter: https://www.syracom.de/footernavi/grundsaetze-der-datenverarbeitung-bei-der-syracom-ag.html
> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> http://www.modsecurity.org/projects/commercial/rules/
> http://www.modsecurity.org/projects/commercial/support/

Re: [mod-security-users] Make rule log instead of block at runtime

[Dominik S. <Dom...@sy...>]

Hi Manuel,


thank you for your answer. I understand SecRuleUpdateActionById is a startup time directive and will change the action for all requests. I really want to do this only for specific requests at runtime, but cannot find a corresponding option for the ctl action. Is there a different way to achieve what I'm looking for?


Many thanks,
Dominik