[Owasp-modsecurity-core-rule-set] How to replace response key words

[Ryan Barnett]

Try enabling SecContentInjection On.

Ryan

On Nov 30, 2011, at 8:16 PM, "dreamice" <dreamice.jiang at gmail.com<mailto:dreamice.jiang at gmail.com>> wrote:

Thanks for your reply!
I use the latest version(httpd-2.2.21 and mod-2.6.2),and I write the rule as follow:
SecStreamOutBodyInspection On
SecRule STREAM_OUTPUT_BODY "@rsub s/1111/xxxx/" "phase:4,t:none,log,auditlog,pass"

my default page is:
<html><body><h1>It works!</h1></body></html>
1111

After I restart the httpd, I request the index.html page, the "1111" has not been replaced.
I global set SecRuleEngine On, what is the problem with my operation?

Thanks in advance!



2011/11/24 Josh Amishav-Zlatin <jamuse at gmail.com<mailto:jamuse at gmail.com>>
On Thu, Nov 24, 2011 at 1:51 PM, dreamice <dreamice.jiang at gmail.com<mailto:dreamice.jiang at gmail.com>> wrote:
> Hi,
> I want to replace the response key words. Such as if the response data
> include "Fuck", I want to write a rule to replace it with "****", how can I
> do it?

If your using 2.6.0 or later then use the @rsub operator.

--
 - Josh

_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
Owasp-modsecurity-core-rule-set at lists.owasp.org<mailto:Owasp-modsecurity-core-rule-set at lists.owasp.org>
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set

________________________________
This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.