[Owasp-modsecurity-core-rule-set] rule bypass

Ryan Barnett Ryan.Barnett at breach.com
Sun Jan 17 10:46:07 EST 2010


This doesn't work as SecRuleRemoveByMsg is a global directive and can't be chained with standard SecRules.  The easiest thing for you to do is to give this rule a rule ID of your own and then you can use the ctl action.

We will be revamping the CRS this week for v2.0.5 and will correct these issues.

-Ryan

________________________________
From: owasp-modsecurity-core-rule-set-bounces at lists.owasp.org [owasp-modsecurity-core-rule-set-bounces at lists.owasp.org] On Behalf Of Chris Datfung [chris.datfung at gmail.com]
Sent: Sunday, January 17, 2010 10:43 AM
To: Ivan Ristic
Cc: owasp-modsecurity-core-rule-set at lists.owasp.org
Subject: Re: [Owasp-modsecurity-core-rule-set] rule bypass

>
> Hi Ivan,
> I'll try the SecRuleRemoveByMsg. As an aside, is there a reason that
> ruleRemoveById is a ctl option but ruleRemoveByMsg is not?

Yes, there is. SecRuleRemoveBy(Id|Msg) operate at configure-time and
affect the configuration that will be used as a starting point for all
requests. The ctl:ruleRemoveById action is executed on per-transaction
basis and can only affect the transaction in which it executes.


Hi Ivan,

I still don't understand why you can't have a ctl:ruleRemoveByMsg action that is executed on a per-transaction basis.

> Ideally, in this
> case, I'd like to create a single rule that first matches the effected
> parameter and then removes the rule based on the message. I guess I could
> still do that by chaining two rules together.

Yes, that sounds likely.

I've been playing around with this and have hit a dead end. I created the following rule:

SecRule REQUEST_URI "script.cfm" phase:1,t:none,t:urlDecode,t:lowercase,t:normalisePath,chain
SecRule &FILES:Filename "@gt 0" chain
SecRuleRemoveByMsg "Attempted multipart\/form-data bypass"

but whenever that rule is uncommented I get the following error:

Syntax error on line 21 of /opt/modsecurity/etc/crs/base_rules/modsecurity_crs_20_protocol_violations.conf:
ModSecurity: Execution phases can only be specified by chain starter rules.

By commented the rule I added the error goes away.

Thanks,
  Chris

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-modsecurity-core-rule-set/attachments/20100117/4e03e87c/attachment-0001.html 


More information about the Owasp-modsecurity-core-rule-set mailing list