Re: Disabling rules for one argument

> -----Original Message-----
> From: Nick Gearls [mailto:nickgearls <at> gmail.com]
> Sent: Friday, July 04, 2008 11:04 AM
> To: Ryan Barnett
> Cc: mod-security-users <at> lists.sourceforge.net
> Subject: Re: [mod-security-users] Disabling rules for one argument
> 
> Obviously, I was not specific enough.
> 
> I want to create a rule for all arguments at the global level, then,
> inside a sub-location, disable it for one specific argument.
> Ex:
> 	SecRule ARGS "bad pattern" "id:10000,..."
> 	...
> 	<Location ...>
> 	 SecRule ARGS:name \
> 	   "phase:2,t:none,allow,nolog,ctl:ruleRemoveById=10000"
> 	</Location>
> 
[Ryan Barnett] Thanks for clarifying.  This is a bit of a tricky one :)
In order to get the rule logic that you want, you will most likely need
to use some combination of skip actions.  Here is an example rule set
that should work (not tested though) -

SecRule REQUEST_FILENAME "^/location/path/"
"chain,phase:2,id:10000,deny"
SecRule ARGS|!ARGS:name "bad pattern"
SecRule REQUEST_FILENAME "^/location/path/" "phase:2,nolog,pass,skip:1"
SecRule ARGS "bad pattern" "phase:2,id:10001,..."

The 1st rule evaluates the Location that you wanted for the exception
and then applies the updated variable list.  Next, you need to use that
same Location check to determine if you are going to run your global
rule or not.  If it is not the exception Location then it will run your
global rule.

-------------------------------------------------------------------------
Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW!
Studies have shown that voting for your favorite open source project,
along with a healthy diet, reduces your potential for chronic lameness
and boredom. Vote Now at http://www.sourceforge.net/community/cca08