Thread: [mod-security-users] Conditional SecRuleRemoveById
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
mod-security-users
|
From: Ed G. <ED...@ha...> - 2017-12-18 18:06:11
|
I'm trying to remove a rule for only one page.
Does this look correct?
<Directory "/var/www/html/assistancecheck">
<Files "sendddocument.php">
SecRuleRemoveById 210220
SecRuleRemoveById 210240
</Files>
</Directory>
When I make it unconditional, it works.
Thanks
--
Ed Greenberg | Web Developer and LInux System Administrator
________________________________
HAPPY Software, Inc. l Work HAPPY-er!
t. 888-484-2779 l f. 518-584-5388
This message and any of its attachments are intended only for the use of the designated recipient, or the recipient’s designee, and may contain information that is confidential or privileged. If you are not the intended recipient, please immediately notify HAPPY Software, Inc., delete all copies of the message and any attachments and do not disseminate or make any use of their contents.
|
|
From: Christian F. <chr...@ne...> - 2017-12-19 07:12:40
|
Hey Ed, Sorry, this won't work. Reason being SecRuleRemoveById is a startup / config time directive. It removes the rule from the list of rules at the startup of the server. The directive is not evaluated during the handling of the requests. What you want is to apply the exclusion conditionally at runtime. That's what the ctl:ruleRemoveById action (and friends) are here for. The details are described in a certain detail in my tutorial at https://www.netnea.com/cms/apache-tutorial-7_including-modsecurity-core-rules/ in step 7 and 8. Plus a handy cheatsheet near the end of the guide. Hope this helps. Christian On Mon, Dec 18, 2017 at 06:06:02PM +0000, Ed Greenberg wrote: > I'm trying to remove a rule for only one page. > > Does this look correct? > > <Directory "/var/www/html/assistancecheck"> > > <Files "sendddocument.php"> > > SecRuleRemoveById 210220 > > SecRuleRemoveById 210240 > > </Files> > > </Directory> > > When I make it unconditional, it works. > > Thanks > > -- > > Ed Greenberg | Web Developer and LInux System Administrator > __________________________________________________________________ > > HAPPY Software, Inc. l Work HAPPY-er! > t. 888-484-2779 l f. 518-584-5388 > This message and any of its attachments are intended only for the use > of the designated recipient, or the recipient’s designee, and may > contain information that is confidential or privileged. If you are not > the intended recipient, please immediately notify HAPPY Software, Inc., > delete all copies of the message and any attachments and do not > disseminate or make any use of their contents. > ------------------------------------------------------------------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ -- https://www.feistyduck.com/training/modsecurity-training-course https://www.feistyduck.com/books/modsecurity-handbook/ mailto:chr...@ne... twitter: @ChrFolini |
|
From: Marc S. <mar...@ap...> - 2017-12-19 07:53:20
|
The following works: <Location /assistancecheck/sendddocument.php> SecRuleRemoveById 210220 SecRuleRemoveById 210240 </Location> This is because a separate context is built for each location at config time On 19-12-17 08:12, Christian Folini wrote: > Hey Ed, > > Sorry, this won't work. > > Reason being SecRuleRemoveById is a startup / config time directive. It > removes the rule from the list of rules at the startup of the server. > The directive is not evaluated during the handling of the requests. > > What you want is to apply the exclusion conditionally at runtime. That's what > the ctl:ruleRemoveById action (and friends) are here for. > > The details are described in a certain detail in my tutorial at > https://www.netnea.com/cms/apache-tutorial-7_including-modsecurity-core-rules/ > in step 7 and 8. Plus a handy cheatsheet near the end of the guide. > > Hope this helps. > > Christian > > > On Mon, Dec 18, 2017 at 06:06:02PM +0000, Ed Greenberg wrote: >> I'm trying to remove a rule for only one page. >> >> Does this look correct? >> >> <Directory "/var/www/html/assistancecheck"> >> >> <Files "sendddocument.php"> >> >> SecRuleRemoveById 210220 >> >> SecRuleRemoveById 210240 >> >> </Files> >> >> </Directory> >> >> When I make it unconditional, it works. >> >> Thanks >> >> -- >> >> Ed Greenberg | Web Developer and LInux System Administrator >> __________________________________________________________________ >> >> HAPPY Software, Inc. l Work HAPPY-er! >> t. 888-484-2779 l f. 518-584-5388 >> This message and any of its attachments are intended only for the use >> of the designated recipient, or the recipient’s designee, and may >> contain information that is confidential or privileged. If you are not >> the intended recipient, please immediately notify HAPPY Software, Inc., >> delete all copies of the message and any attachments and do not >> disseminate or make any use of their contents. >> ------------------------------------------------------------------------------ >> Check out the vibrant tech community on one of the world's most >> engaging tech sites, Slashdot.org! http://sdm.link/slashdot >> _______________________________________________ >> mod-security-users mailing list >> mod...@li... >> https://lists.sourceforge.net/lists/listinfo/mod-security-users >> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >> http://www.modsecurity.org/projects/commercial/rules/ >> http://www.modsecurity.org/projects/commercial/support/ > |
|
From: Christian F. <chr...@ne...> - 2017-12-19 08:01:14
|
Marks, Seriously, this works? Awesome. I never do Locations but maybe that's a mistake. Thanks for correcting me. Christian On Tue, Dec 19, 2017 at 08:19:14AM +0100, Marc Stern wrote: > The following works: > <Location /assistancecheck/sendddocument.php> > SecRuleRemoveById 210220 > SecRuleRemoveById 210240 > </Location> > > This is because a separate context is built for each location at config time > > On 19-12-17 08:12, Christian Folini wrote: > > Hey Ed, > > > > Sorry, this won't work. > > > > Reason being SecRuleRemoveById is a startup / config time directive. It > > removes the rule from the list of rules at the startup of the server. > > The directive is not evaluated during the handling of the requests. > > > > What you want is to apply the exclusion conditionally at runtime. That's what > > the ctl:ruleRemoveById action (and friends) are here for. > > > > The details are described in a certain detail in my tutorial at > > https://www.netnea.com/cms/apache-tutorial-7_including-modsecurity-core-rules/ > > in step 7 and 8. Plus a handy cheatsheet near the end of the guide. > > > > Hope this helps. > > > > Christian > > > > > > On Mon, Dec 18, 2017 at 06:06:02PM +0000, Ed Greenberg wrote: > > > I'm trying to remove a rule for only one page. > > > > > > Does this look correct? > > > > > > <Directory "/var/www/html/assistancecheck"> > > > > > > <Files "sendddocument.php"> > > > > > > SecRuleRemoveById 210220 > > > > > > SecRuleRemoveById 210240 > > > > > > </Files> > > > > > > </Directory> > > > > > > When I make it unconditional, it works. > > > > > > Thanks > > > > > > -- > > > > > > Ed Greenberg | Web Developer and LInux System Administrator > > > __________________________________________________________________ > > > > > > HAPPY Software, Inc. l Work HAPPY-er! > > > t. 888-484-2779 l f. 518-584-5388 > > > This message and any of its attachments are intended only for the use > > > of the designated recipient, or the recipient’s designee, and may > > > contain information that is confidential or privileged. If you are not > > > the intended recipient, please immediately notify HAPPY Software, Inc., > > > delete all copies of the message and any attachments and do not > > > disseminate or make any use of their contents. > > > ------------------------------------------------------------------------------ > > > Check out the vibrant tech community on one of the world's most > > > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > > > _______________________________________________ > > > mod-security-users mailing list > > > mod...@li... > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > > > http://www.modsecurity.org/projects/commercial/rules/ > > > http://www.modsecurity.org/projects/commercial/support/ > > > > > ------------------------------------------------------------------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ -- https://www.feistyduck.com/training/modsecurity-training-course https://www.feistyduck.com/books/modsecurity-handbook/ mailto:chr...@ne... twitter: @ChrFolini |
|
From: Marc S. <mar...@ap...> - 2017-12-19 12:53:40
|
Definitely! We heavily use this in our "default deny" framework: we block everything and open things in locations (via macros); This allows a real "default deny" Approach with proper management. Ex: <Location /myapp> Use FrameworkDotNetMVC Use FrameworkJquery Use GoogleApi Use GoogleAnalytics </Location> In the above example, the macro FrameworkDotNetMVC will contain a lot of SecRuleRemoveById corresponding to the .NET framework, MVC.NET, plus some specific rules for IIS, etc. And this works in production for more than 15 years ;-) On 19-12-17 09:01, Christian Folini wrote: > Marks, > > Seriously, this works? Awesome. > > I never do Locations but maybe that's a mistake. > > Thanks for correcting me. > > Christian > > On Tue, Dec 19, 2017 at 08:19:14AM +0100, Marc Stern wrote: >> The following works: >> <Location /assistancecheck/sendddocument.php> >> SecRuleRemoveById 210220 >> SecRuleRemoveById 210240 >> </Location> >> >> This is because a separate context is built for each location at config time >> >> On 19-12-17 08:12, Christian Folini wrote: >>> Hey Ed, >>> >>> Sorry, this won't work. >>> >>> Reason being SecRuleRemoveById is a startup / config time directive. It >>> removes the rule from the list of rules at the startup of the server. >>> The directive is not evaluated during the handling of the requests. >>> >>> What you want is to apply the exclusion conditionally at runtime. That's what >>> the ctl:ruleRemoveById action (and friends) are here for. >>> >>> The details are described in a certain detail in my tutorial at >>> https://www.netnea.com/cms/apache-tutorial-7_including-modsecurity-core-rules/ >>> in step 7 and 8. Plus a handy cheatsheet near the end of the guide. >>> >>> Hope this helps. >>> >>> Christian >>> >>> >>> On Mon, Dec 18, 2017 at 06:06:02PM +0000, Ed Greenberg wrote: >>>> I'm trying to remove a rule for only one page. >>>> >>>> Does this look correct? >>>> >>>> <Directory "/var/www/html/assistancecheck"> >>>> >>>> <Files "sendddocument.php"> >>>> >>>> SecRuleRemoveById 210220 >>>> >>>> SecRuleRemoveById 210240 >>>> >>>> </Files> >>>> >>>> </Directory> >>>> >>>> When I make it unconditional, it works. >>>> >>>> Thanks >>>> >>>> -- >>>> >>>> Ed Greenberg | Web Developer and LInux System Administrator >>>> __________________________________________________________________ >>>> >>>> HAPPY Software, Inc. l Work HAPPY-er! >>>> t. 888-484-2779 l f. 518-584-5388 >>>> This message and any of its attachments are intended only for the use >>>> of the designated recipient, or the recipient’s designee, and may >>>> contain information that is confidential or privileged. If you are not >>>> the intended recipient, please immediately notify HAPPY Software, Inc., >>>> delete all copies of the message and any attachments and do not >>>> disseminate or make any use of their contents. >>>> ------------------------------------------------------------------------------ >>>> Check out the vibrant tech community on one of the world's most >>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot >>>> _______________________________________________ >>>> mod-security-users mailing list >>>> mod...@li... >>>> https://lists.sourceforge.net/lists/listinfo/mod-security-users >>>> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >>>> http://www.modsecurity.org/projects/commercial/rules/ >>>> http://www.modsecurity.org/projects/commercial/support/ >> >> ------------------------------------------------------------------------------ >> Check out the vibrant tech community on one of the world's most >> engaging tech sites, Slashdot.org! http://sdm.link/slashdot >> _______________________________________________ >> mod-security-users mailing list >> mod...@li... >> https://lists.sourceforge.net/lists/listinfo/mod-security-users >> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >> http://www.modsecurity.org/projects/commercial/rules/ >> http://www.modsecurity.org/projects/commercial/support/ |
|
From: Ed G. <ED...@ha...> - 2017-12-19 13:08:47
|
Marc's suggestion worked. <Location> is my friend. And Christian's tutorials are a treasure trove. Thanks to both of you. Actually a BIG thank you to all, since we are going live (turning off DetectOnly) site by site, over the next few weeks. My boss has totally fallen in love with ModSecurity, now that I showed him how to read the logs and he sees what we're blocking. -- Ed Greenberg | Web Developer and LInux System Administrator ________________________________ HAPPY Software, Inc. l Work HAPPY-er! t. 888-484-2779 l f. 518-584-5388 This message and any of its attachments are intended only for the use of the designated recipient, or the recipient’s designee, and may contain information that is confidential or privileged. If you are not the intended recipient, please immediately notify HAPPY Software, Inc., delete all copies of the message and any attachments and do not disseminate or make any use of their contents. |
|
From: Christian F. <chr...@ne...> - 2017-12-19 13:16:45
|
On Tue, Dec 19, 2017 at 01:08:31PM +0000, Ed Greenberg wrote: > Actually a BIG thank you to all, since we are going live (turning off > DetectOnly) site by site, over the next few weeks. > > My boss has totally fallen in love with ModSecurity, now that I showed > him how to read the logs and he sees what we're blocking. That's great news Ed! Congratulations. How about writing a success story for the coreruleset.org blog? Cheers! Christian > > -- > > Ed Greenberg | Web Developer and LInux System Administrator > __________________________________________________________________ > > HAPPY Software, Inc. l Work HAPPY-er! > t. 888-484-2779 l f. 518-584-5388 > This message and any of its attachments are intended only for the use > of the designated recipient, or the recipient’s designee, and may > contain information that is confidential or privileged. If you are not > the intended recipient, please immediately notify HAPPY Software, Inc., > delete all copies of the message and any attachments and do not > disseminate or make any use of their contents. > ------------------------------------------------------------------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ -- https://www.feistyduck.com/training/modsecurity-training-course https://www.feistyduck.com/books/modsecurity-handbook/ mailto:chr...@ne... twitter: @ChrFolini |
Thanks for helping keep SourceForge clean.
X