[Owasp-modsecurity-core-rule-set] rule bypass

Chris Datfung chris.datfung at gmail.com
Sun Jan 17 07:25:14 EST 2010


On Sun, Jan 17, 2010 at 12:34 AM, Ivan Ristic <ivan.ristic at gmail.com> wrote:

>
> If there's no ID you can always try to use SecRuleRemoveByMsg before
> you resort to the direct file modification. Ryan, the author of CRS,
> may have a better answer.
>

Hi Ivan,

I'll try the SecRuleRemoveByMsg. As an aside, is there a reason that
ruleRemoveById is a ctl option but ruleRemoveByMsg is not? Ideally, in this
case, I'd like to create a single rule that first matches the effected
parameter and then removes the rule based on the message. I guess I could
still do that by chaining two rules together.


>
> Having said that, if you don't mind, can we see the original request
> that triggered that rule (ideally the entire audit log file)?
>
>
Unfortunately, the request contains a lot of sensitive data, so it would be
a lot of work to clean it up before posting to the list.


>
> > Also if I may be so rude, but for the benefit of others and myself, I
> have a
> > hard time wrapping my brain around the new whitelisting method in the
> v2.*
> > CRS, can you please explain the methodology?
>

Thanks,
 Chris
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-modsecurity-core-rule-set/attachments/20100117/b55c6b68/attachment.html 


More information about the Owasp-modsecurity-core-rule-set mailing list