4 Jul 18:04
Re: Disabling rules for one argument
From: Christian Bockermann <chris <at> jwall.org>
Subject: Re: Disabling rules for one argument
Newsgroups: gmane.comp.apache.mod-security.user
Date: 2008-07-04 16:04:23 GMT
Subject: Re: Disabling rules for one argument
Newsgroups: gmane.comp.apache.mod-security.user
Date: 2008-07-04 16:04:23 GMT
Nick Gearls schrieb:
> Obviously, I was not specific enough.
>
> I want to create a rule for all arguments at the global level, then,
> inside a sub-location, disable it for one specific argument.
> Ex:
> SecRule ARGS "bad pattern" "id:10000,..."
> ...
> <Location ...>
> SecRule ARGS:name \
> "phase:2,t:none,allow,nolog,ctl:ruleRemoveById=10000"
> </Location>
>
> Nick
>
You need to take care of a few things here:
(1) If you specify "ctl:ruleRemoveById" in phase 2 and rule with id
10000 is a phase 1
rule, then removal will take place after rule 10000 has already
been applied.
(2) In your sample above, if you remove the rule 10000 in dependency
of a "name"
parameter, you will also loose the check of all the other
parameters in case a
"name" parameter is present.
So together you have a catch-22 rule.
The straigt-forward solution would be what Ryan sort of suggested:
a) split you check into a check for ARGS:name and one for ARGS:!name
b) give each of these a different ID
c) remove the ARGS:name rule within your location.
In case your ARGS are present in the header, you don't even need to take
care about
the "removeRule" in phase 2 as you would only place the "ARGS:name" rule
in phase 2.
In think (a) is mandatory in any way due to the implication of (2).
Regards,
Chris
-------------------------------------------------------------------------
Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW!
Studies have shown that voting for your favorite open source project,
along with a healthy diet, reduces your potential for chronic lameness
and boredom. Vote Now at http://www.sourceforge.net/community/cca08
RSS Feed