[Owasp-modsecurity-core-rule-set] More Squirrelmail Denials

Ryan Barnett ryan.barnett at breach.com
Wed Jan 13 13:31:47 EST 2010


On Wednesday 13 January 2010 01:17:35 pm Arthur Dent wrote:

> Hi Ryan,
> 
> Many thanks for this. I wish I understood better how the CRS works, but
> I'm afraid I don't. This means that I am at a bit of a loss to know what
> to do when Apache reports a syntax error in your rules... Sorry...
> 
> # service httpd restart
> Stopping httpd:                                            [  OK  ]
> Starting httpd: Syntax error on line 65 of
>  /etc/httpd/modsecurity.d/base_rules/modsecurity_crs_48_local_exceptions.co
> nf: Error creating rule: Unexpected character at position 51:
>  TX:PHPIDS-30-WEB_ATTACK/INJECTION-2-Detects common XSS concatenation
>  patterns 1/2-ARGS_NAMES:smaction[save][1] [FAILED]
> 

Try this one instead -

SecRule TX:'/PHPIDS-30-(.*)-ARGS_NAMES:smaction[save][1]/' "@contains ][" 
"chain,phase:2,t:none,nolog,pass"
       SecRule MATCHED_VAR_NAME "TX\:(.*)" "capture,t:none,setvar:!tx.
%{tx.1},setvar:tx.anomaly_score=-4"


> I do appreciate your help with this. Thanks.
> 
> Mark
> 
> p.s.
> When is CRS 2.0.5 coming out?
> 
Not sure - We are trying to make a bunch of updates including the comments by Ivan Ristic.

We will send out a note to the list when it is released.

-Ryan


More information about the Owasp-modsecurity-core-rule-set mailing list