[Owasp-modsecurity-core-rule-set] rule bypass

Chris Datfung chris.datfung at gmail.com
Sun Jan 17 10:43:56 EST 2010

> >
> > Hi Ivan,
> > I'll try the SecRuleRemoveByMsg. As an aside, is there a reason that
> > ruleRemoveById is a ctl option but ruleRemoveByMsg is not?
> Yes, there is. SecRuleRemoveBy(Id|Msg) operate at configure-time and
> affect the configuration that will be used as a starting point for all
> requests. The ctl:ruleRemoveById action is executed on per-transaction
> basis and can only affect the transaction in which it executes.
Hi Ivan,

I still don't understand why you can't have a ctl:ruleRemoveByMsg action
that is executed on a per-transaction basis.

> > Ideally, in this
> > case, I'd like to create a single rule that first matches the effected
> > parameter and then removes the rule based on the message. I guess I could
> > still do that by chaining two rules together.
> Yes, that sounds likely.

I've been playing around with this and have hit a dead end. I created the
following rule:

SecRule REQUEST_URI "script.cfm"
SecRule &FILES:Filename "@gt 0" chain
SecRuleRemoveByMsg "Attempted multipart\/form-data bypass"

but whenever that rule is uncommented I get the following error:

Syntax error on line 21 of
ModSecurity: Execution phases can only be specified by chain starter rules.

By commented the rule I added the error goes away.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-modsecurity-core-rule-set/attachments/20100117/dcc58a3d/attachment.html 

More information about the Owasp-modsecurity-core-rule-set mailing list