headers
Nick Gearls | 7 Jul 10:53

Re: Disabling rules for one argument

Btw, isn't it possible to define a dynamic rule (generic), like
	SecRule ARGS|!ARGS:xxx "bad pattern"
where xxx is defined, either via a transaction data or an environment 
variable ?

Thanks,
Regards,

Nick

Nick Gearls wrote:
> Thanks Barnett,
> I was a bit afraid beforehand about the answer ;-)
> 
> If I understand correctly, there is no way, for example, to remove a 
> core rule check for one argument without modifying the core rule,
> right ?
> 
> How does the ctl:ruleRemoveById rule work exactly ?
> I suppose it is evaluated
>  1. either before the id rule is defined
>         -> id was not defined
>         -> ignored
>  2. or after the id rule is defined
>         -> the request was already blocked
>         -> never reached
> 
> 
> Regards,
> 
> Nick
> 
> 
> Ryan Barnett wrote:
>>> -----Original Message-----
>>> From: Nick Gearls [mailto:nickgearls <at> gmail.com]
>>> Sent: Friday, July 04, 2008 11:04 AM
>>> To: Ryan Barnett
>>> Cc: mod-security-users <at> lists.sourceforge.net
>>> Subject: Re: [mod-security-users] Disabling rules for one argument
>>>
>>> Obviously, I was not specific enough.
>>>
>>> I want to create a rule for all arguments at the global level, then,
>>> inside a sub-location, disable it for one specific argument.
>>> Ex:
>>>     SecRule ARGS "bad pattern" "id:10000,..."
>>>     ...
>>>     <Location ...>
>>>      SecRule ARGS:name \
>>>        "phase:2,t:none,allow,nolog,ctl:ruleRemoveById=10000"
>>>     </Location>
>>>
>> [Ryan Barnett] Thanks for clarifying.  This is a bit of a tricky one :)
>> In order to get the rule logic that you want, you will most likely need
>> to use some combination of skip actions.  Here is an example rule set
>> that should work (not tested though) -
>>
>> SecRule REQUEST_FILENAME "^/location/path/"
>> "chain,phase:2,id:10000,deny"
>> SecRule ARGS|!ARGS:name "bad pattern"
>> SecRule REQUEST_FILENAME "^/location/path/" "phase:2,nolog,pass,skip:1"
>> SecRule ARGS "bad pattern" "phase:2,id:10001,..."
>>
>> The 1st rule evaluates the Location that you wanted for the exception
>> and then applies the updated variable list.  Next, you need to use that
>> same Location check to determine if you are going to run your global
>> rule or not.  If it is not the exception Location then it will run your
>> global rule.
>>
> 

-------------------------------------------------------------------------
Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW!
Studies have shown that voting for your favorite open source project,
along with a healthy diet, reduces your potential for chronic lameness
and boredom. Vote Now at http://www.sourceforge.net/community/cca08
Permalink | Reply |

Gmane