[Owasp-modsecurity-core-rule-set] phpmyadmin usage via localhost interface through mod_security

Christian Bockermann chris at jwall.org
Sun Oct 31 06:23:47 EDT 2010

Hash: SHA1

Hi Jason!

Am 31.10.2010 um 00:41 schrieb Jason Brooks:
>> SecRule REMOTE_ADDR "@streq xxx.xxx.xxx.xxx" "phase:1,nolog,allow, \
>> ctl:ruleEngine=Off,ctl:auditEngine=Off"
> Does the equivalent string "LOCAL_ADDR" exist?  It's the listening  
> address of localhost i want to unblock...

Yes, there exists an equivalent, which is  SERVER_ADDR

>> To disable some of the rules based on URI you can use something like:
>> <LocationMatch /phpmyadmin/>
>> SecRuleRemoveById 900000-900010
>> SecRuleRemoveById 999999
>> </LocationMatch>
> Silly question: how do I determine what the various ruleids will be?

In no way a silly question.
Currently, you'll have to manually walk throught he core-rules to figure out
which rules are hit by a range of (900000-900010).

Another way to address this is the following:
The rule-IDs will be logged. If you don't have a log-management tool, yet,
then I'd recommend for you to have a look at the audit-console at


which provides a web-interface for that.
(There will be an easy  "apt-get install auditconsole" way coming soon to
 make installing more easy).

With the AuditConsole you will be able to filter all requests/alerts by
RULE_ID and check which URLs have triggered a specific rule id.

Another way would be to filter by "REQUEST_URI @sx /phpmyadmin/*" which
will give you all alerts for requests to phpadmin-URLs and allows you to
skip through these to check which rules you need to exclude.

> I think i need to buy the book.   :)

You won't regret it!
It's really well written and has a very nice concept of "up-to-date"-ness :-)

I'd recommend to obtain the bundle (including paper-back).

Version: GnuPG v1.4.8 (Darwin)


More information about the Owasp-modsecurity-core-rule-set mailing list