[Owasp-modsecurity-core-rule-set] phpmyadmin usage via localhost interface through mod_security
chris at jwall.org
Sun Oct 31 06:23:47 EDT 2010
-----BEGIN PGP SIGNED MESSAGE-----
Am 31.10.2010 um 00:41 schrieb Jason Brooks:
>> SecRule REMOTE_ADDR "@streq xxx.xxx.xxx.xxx" "phase:1,nolog,allow, \
> Does the equivalent string "LOCAL_ADDR" exist? It's the listening
> address of localhost i want to unblock...
Yes, there exists an equivalent, which is SERVER_ADDR
>> To disable some of the rules based on URI you can use something like:
>> <LocationMatch /phpmyadmin/>
>> SecRuleRemoveById 900000-900010
>> SecRuleRemoveById 999999
> Silly question: how do I determine what the various ruleids will be?
In no way a silly question.
Currently, you'll have to manually walk throught he core-rules to figure out
which rules are hit by a range of (900000-900010).
Another way to address this is the following:
The rule-IDs will be logged. If you don't have a log-management tool, yet,
then I'd recommend for you to have a look at the audit-console at
which provides a web-interface for that.
(There will be an easy "apt-get install auditconsole" way coming soon to
make installing more easy).
With the AuditConsole you will be able to filter all requests/alerts by
RULE_ID and check which URLs have triggered a specific rule id.
Another way would be to filter by "REQUEST_URI @sx /phpmyadmin/*" which
will give you all alerts for requests to phpadmin-URLs and allows you to
skip through these to check which rules you need to exclude.
> I think i need to buy the book. :)
You won't regret it!
It's really well written and has a very nice concept of "up-to-date"-ness :-)
I'd recommend to obtain the bundle (including paper-back).
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
-----END PGP SIGNATURE-----
More information about the Owasp-modsecurity-core-rule-set