[Owasp-modsecurity-core-rule-set] Owasp-modsecurity-core-rule-set Digest, Vol 34, Issue 4

Josh Amishav-Zlatin jamuse at gmail.com
Sat Jan 14 21:34:10 UTC 2012


On Sat, Jan 14, 2012 at 2:10 AM, Jonathan McGraw <support at jsmcgraw.com> wrote:
>>to exclude files ending with .gif, but I probably got these calls wrong
>>as regexp isn't my strong side if I say so. Not even sure if I could use
>>a regexp there to exclude files with certain extensions? Personally I
>>would like to exclude .gif, .png and .jpg as they basically are the only
>>ones used for web sites and I can't see any way how requesting an image
>>file could cause any harm?

Hi Jonathan and Joakim,

There are a few ways to do this. You can use the Apache LocationMatch
or FileMatch directive like so:

<FilesMatch "\.(gif|jpe?g|png)$">
  SecRuleRemoveById 123456
</FilesMatch>

The ModSecurity colon operator also allows you to use regular
expressions to specify the name to use. For example you can search all
arguments that start with the string 'foo' via ARGS:/^foo/. Having
said that, not all collections support parameters, REQUEST_FILENAME is
one example where parameters are not supported. While that makes sense
when using the SecRule directive, it appears to be a useful (missing)
feature when used with SecRuleUpdateTargetById.

--
 - Josh


More information about the Owasp-modsecurity-core-rule-set mailing list