[Owasp-modsecurity-core-rule-set] phpmyadmin usage via localhost interface through mod_security

Christian Bockermann chris at jwall.org
Sun Oct 31 06:23:47 EDT 2010


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Jason!

Am 31.10.2010 um 00:41 schrieb Jason Brooks:
>> SecRule REMOTE_ADDR "@streq xxx.xxx.xxx.xxx" "phase:1,nolog,allow, \
>> ctl:ruleEngine=Off,ctl:auditEngine=Off"
>> 
> 
> Does the equivalent string "LOCAL_ADDR" exist?  It's the listening  
> address of localhost i want to unblock...

Yes, there exists an equivalent, which is  SERVER_ADDR


>> To disable some of the rules based on URI you can use something like:
>> 
>> <LocationMatch /phpmyadmin/>
>> SecRuleRemoveById 900000-900010
>> SecRuleRemoveById 999999
>> </LocationMatch>
> 
> Silly question: how do I determine what the various ruleids will be?

In no way a silly question.
Currently, you'll have to manually walk throught he core-rules to figure out
which rules are hit by a range of (900000-900010).

Another way to address this is the following:
The rule-IDs will be logged. If you don't have a log-management tool, yet,
then I'd recommend for you to have a look at the audit-console at

	http://www.jwall.org/AuditConsole

which provides a web-interface for that.
(There will be an easy  "apt-get install auditconsole" way coming soon to
 make installing more easy).

With the AuditConsole you will be able to filter all requests/alerts by
RULE_ID and check which URLs have triggered a specific rule id.

Another way would be to filter by "REQUEST_URI @sx /phpmyadmin/*" which
will give you all alerts for requests to phpadmin-URLs and allows you to
skip through these to check which rules you need to exclude.



> 
> I think i need to buy the book.   :)
> 

You won't regret it!
It's really well written and has a very nice concept of "up-to-date"-ness :-)

I'd recommend to obtain the bundle (including paper-back).

Regards,
    Chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)

iD8DBQFMzUOzpc5/RcXDlTwRAuAvAJ9mxb4ABplMXuBLb1/Bfi9Sd7UoygCfVu6n
x5D1jwQ4lbjm1UBmfCe6KkU=
=EvtU
-----END PGP SIGNATURE-----


More information about the Owasp-modsecurity-core-rule-set mailing list