25 Jul 2012 21:58
Re: SecRule syntaxes
Josh Amishav-Zlatin <jamuse <at> gmail.com>
2012-07-25 19:58:10 GMT
2012-07-25 19:58:10 GMT
On Wed, Jul 25, 2012 at 1:50 AM, David R <rewt <at> linux-elite.org> wrote:
Hello,
I wondered how i could for example:
Whitelist the "param" argument for the url /prout.php on the vhost www.host.com
from 950901 rule id.
The maximum that i am able to do is:
SecRule REQUEST_HEADERS:Host "www.host.com$"
"phase:1,t:none,nolog,pass,ctl:ruleRemoveById=950109;ARGS:param"
How could i include the REQUEST_URI "^/prout\.php" to that request ?
Hi David,
The ruleRemoveById just takes a rule id as a parameter, the SecRuleUpdateTargetById directive lets you white list certain parameters for a given rule. While you can chain rules together to add the REQUEST_URI parameter condition, you can also use Apache Location directives as well, e.g.:
SecRule REQUEST_HEADERS:Host "www.host.com" "phase:1,t:none, \
nolog,id:1,chain,pass,ctl:ruleUpdateTargetById=950109!ARGS:param"
SecRule REQUEST_URI "^/prout\.php"
or
<Location /prout.php>
SecRule REQUEST_HEADERS:Host "www.host.com" "phase:1,t:none, \
nolog,id:1,pass,ctl:ruleUpdateTargetById=950109!ARGS:param"
</Location>
--
- Josh
------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________ mod-security-users mailing list mod-security-users <at> lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/mod-security-users Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: http://www.modsecurity.org/projects/commercial/rules/ http://www.modsecurity.org/projects/commercial/support/
RSS Feed