[Owasp-modsecurity-core-rule-set] Change/delete a variable !

Ryan Barnett rcbarnett at gmail.com
Wed Aug 19 09:07:24 EDT 2009


On Wednesday 19 August 2009 08:47:43 am Dr. Paolo Frizzera wrote:
> Hi,
> I have a question: "It's possible to change/delete a variable that come
> in a query string or in a form?"
> Or "It's possible to "masquerade" this variable for the rest of the rules?"
> I want to follow all the controls of the rules but not for that variable.
>
> If is possible, how it's possible ?
> I tried some rules, but without success !
>
> TIA,
> Paolo
Hey Paolo,
Just so I understand your question, do you want to totally exclude a specific 
parameter from matching the rules?  If so, and assuming the parameter name you 
wanted to ignore was "foo", you could implement a rules like this in the 
modsecurity_crs_48_local_exceptions.conf file -

SecRule TX:/ARGS:foo/ ".*" 
"chain,phase:2,t:none,nolog,pass,setvar:tx.anomaly_score=-20"
SecRule MATCHED_VAR_NAME "TX\:(.*)" "capture,t:none,setvar:!tx.%{tx.1}"

This rule will check to see if any previous rules have triggered for the foo 
parameter payload.  If so, it will decrement the anomaly score by 20 and 
expire the TX variables.

--
Ryan C. Barnett
WASC Distributed Open Proxy Honeypot Project Leader
OWASP ModSecurity Core Rule Set Project Leader
Tactical Web Application Security
http://tacticalwebappsec.blogspot.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-modsecurity-core-rule-set/attachments/20090819/b41722e6/attachment.html 


More information about the Owasp-modsecurity-core-rule-set mailing list