[Owasp-modsecurity-core-rule-set] rule bypass

Ivan Ristic ivan.ristic at gmail.com
Sun Jan 17 10:25:16 EST 2010


On Sun, Jan 17, 2010 at 12:25 PM, Chris Datfung <chris.datfung at gmail.com> wrote:
> On Sun, Jan 17, 2010 at 12:34 AM, Ivan Ristic <ivan.ristic at gmail.com> wrote:
>>
>> If there's no ID you can always try to use SecRuleRemoveByMsg before
>> you resort to the direct file modification. Ryan, the author of CRS,
>> may have a better answer.
>
> Hi Ivan,
> I'll try the SecRuleRemoveByMsg. As an aside, is there a reason that
> ruleRemoveById is a ctl option but ruleRemoveByMsg is not?

Yes, there is. SecRuleRemoveBy(Id|Msg) operate at configure-time and
affect the configuration that will be used as a starting point for all
requests. The ctl:ruleRemoveById action is executed on per-transaction
basis and can only affect the transaction in which it executes.


> Ideally, in this
> case, I'd like to create a single rule that first matches the effected
> parameter and then removes the rule based on the message. I guess I could
> still do that by chaining two rules together.

Yes, that sounds likely.

-- 
Ivan Ristic
ModSecurity Handbook [https://www.feistyduck.com]
SSL Labs [https://www.ssllabs.com/ssldb/]


More information about the Owasp-modsecurity-core-rule-set mailing list