Thread: [mod-security-users] SecRule syntaxes
Brought to you by:
victorhora,
zimmerletw
From: David R <re...@li...> - 2012-07-24 22:50:41
|
Hello, I wondered how i could for example: Whitelist the "param" argument for the url /prout.php on the vhost www.host.com from 950901 rule id. The maximum that i am able to do is: SecRule REQUEST_HEADERS:Host "www.host.com$" "phase:1,t:none,nolog,pass,ctl:ruleRemoveById=950109;ARGS:param" How could i include the REQUEST_URI "^/prout\.php" to that request ? My other question is regarding performqnces, is there any advantage to write a rule like this one: SecRule REQUEST_HEADERS:Host "www.host.com$" "phase:1,t:none,nolog,pass,ctl:ruleRemoveById=981173,ctl:ruleRemoveById=950901,c tl:ruleRemoveById=950109,ctl:ruleRemoveById=950117;ARGS:param" Will the previous rule work and will it impact performances in a good or bad way ? Thank you for your responses. Kind regards |
From: Josh Amishav-Z. <ja...@gm...> - 2012-07-25 19:58:38
|
On Wed, Jul 25, 2012 at 1:50 AM, David R <re...@li...> wrote: > Hello, > > I wondered how i could for example: > > Whitelist the "param" argument for the url /prout.php on the vhost > www.host.com > from 950901 rule id. > > The maximum that i am able to do is: > > SecRule REQUEST_HEADERS:Host "www.host.com$" > "phase:1,t:none,nolog,pass,ctl:ruleRemoveById=950109;ARGS:param" > > How could i include the REQUEST_URI "^/prout\.php" to that request ? > Hi David, The ruleRemoveById just takes a rule id as a parameter, the SecRuleUpdateTargetById directive lets you white list certain parameters for a given rule. While you can chain rules together to add the REQUEST_URI parameter condition, you can also use Apache Location directives as well, e.g.: SecRule REQUEST_HEADERS:Host "www.host.com" "phase:1,t:none, \ nolog,id:1,chain,pass,ctl:ruleUpdateTargetById=950109!ARGS:param" SecRule REQUEST_URI "^/prout\.php" or <Location /prout.php> SecRule REQUEST_HEADERS:Host "www.host.com" "phase:1,t:none, \ nolog,id:1,pass,ctl:ruleUpdateTargetById=950109!ARGS:param" </Location> -- - Josh |
From: David R <re...@li...> - 2012-07-26 06:44:47
|
Thank you so much for this clear, perfect reply. But does it mean that this rule will not work/being effective on the MYPARAM argument ? SecRule REQUEST_FILENAME "@streq /path/to/a/file" "phase:1,t:none,nolog,pass,ctl:ruleRemoveById=981173;ARGS:MYPARAM" and about this one ?: SecRule REQUEST_HEADERS:Host "www.host.com$" "phase:1,t:none,nolog,pass,ctl:ruleRemoveById=9811 73,ctl:ruleRemoveById=950901,ctl:ruleRemoveById=950109,ctl:ruleRemoveById=950117; ARGS:referer" Thanks again for your response |