[Owasp-modsecurity-core-rule-set] rule bypass
chris.datfung at gmail.com
Sun Jan 17 07:25:14 EST 2010
On Sun, Jan 17, 2010 at 12:34 AM, Ivan Ristic <ivan.ristic at gmail.com> wrote:
> If there's no ID you can always try to use SecRuleRemoveByMsg before
> you resort to the direct file modification. Ryan, the author of CRS,
> may have a better answer.
I'll try the SecRuleRemoveByMsg. As an aside, is there a reason that
ruleRemoveById is a ctl option but ruleRemoveByMsg is not? Ideally, in this
case, I'd like to create a single rule that first matches the effected
parameter and then removes the rule based on the message. I guess I could
still do that by chaining two rules together.
> Having said that, if you don't mind, can we see the original request
> that triggered that rule (ideally the entire audit log file)?
Unfortunately, the request contains a lot of sensitive data, so it would be
a lot of work to clean it up before posting to the list.
> > Also if I may be so rude, but for the benefit of others and myself, I
> have a
> > hard time wrapping my brain around the new whitelisting method in the
> > CRS, can you please explain the methodology?
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Owasp-modsecurity-core-rule-set