[Owasp-modsecurity-core-rule-set] rule bypass

Ivan Ristic ivan.ristic at gmail.com
Sun Jan 17 10:51:43 EST 2010


Ah, I now realise that there's no ctl:ruleRemoveByMsg and since
there's no ID associated with the rule you want to remove, your only
option is to modify the CRS file directly.


On Sun, Jan 17, 2010 at 3:50 PM, Ivan Ristic <ivan.ristic at gmail.com> wrote:
> On Sun, Jan 17, 2010 at 3:43 PM, Chris Datfung <chris.datfung at gmail.com> wrote:
>>> >
>>> > Hi Ivan,
>>> > I'll try the SecRuleRemoveByMsg. As an aside, is there a reason that
>>> > ruleRemoveById is a ctl option but ruleRemoveByMsg is not?
>>>
>>> Yes, there is. SecRuleRemoveBy(Id|Msg) operate at configure-time and
>>> affect the configuration that will be used as a starting point for all
>>> requests. The ctl:ruleRemoveById action is executed on per-transaction
>>> basis and can only affect the transaction in which it executes.
>>>
>>
>> Hi Ivan,
>>
>> I still don't understand why you can't have a ctl:ruleRemoveByMsg action
>> that is executed on a per-transaction basis.
>
> You most certainly can. In fact, that's the only way to conditionally
> remove a rule (which sounds like what you're after).
>
>
>>> > Ideally, in this
>>> > case, I'd like to create a single rule that first matches the effected
>>> > parameter and then removes the rule based on the message. I guess I
>>> > could
>>> > still do that by chaining two rules together.
>>>
>>> Yes, that sounds likely.
>>
>> I've been playing around with this and have hit a dead end. I created the
>> following rule:
>>
>> SecRule REQUEST_URI "script.cfm"
>> phase:1,t:none,t:urlDecode,t:lowercase,t:normalisePath,chain
>> SecRule &FILES:Filename "@gt 0" chain
>> SecRuleRemoveByMsg "Attempted multipart\/form-data bypass"
>
> SecRuleRemoveByMsg is also not a rule and cannot be chained. It's a
> configuration directive. You should be using the ctl: action in your
> second rule.
>
>
>> but whenever that rule is uncommented I get the following error:
>>
>> Syntax error on line 21 of
>> /opt/modsecurity/etc/crs/base_rules/modsecurity_crs_20_protocol_violations.conf:
>> ModSecurity: Execution phases can only be specified by chain starter rules.
>
> What's on line 21?
>
> --
> Ivan Ristic
> ModSecurity Handbook [https://www.feistyduck.com]
> SSL Labs [https://www.ssllabs.com/ssldb/]
>



-- 
Ivan Ristic
ModSecurity Handbook [https://www.feistyduck.com]
SSL Labs [https://www.ssllabs.com/ssldb/]


More information about the Owasp-modsecurity-core-rule-set mailing list