[Owasp-modsecurity-core-rule-set] rule bypass
ivan.ristic at gmail.com
Sun Jan 17 10:50:01 EST 2010
On Sun, Jan 17, 2010 at 3:43 PM, Chris Datfung <chris.datfung at gmail.com> wrote:
>> > Hi Ivan,
>> > I'll try the SecRuleRemoveByMsg. As an aside, is there a reason that
>> > ruleRemoveById is a ctl option but ruleRemoveByMsg is not?
>> Yes, there is. SecRuleRemoveBy(Id|Msg) operate at configure-time and
>> affect the configuration that will be used as a starting point for all
>> requests. The ctl:ruleRemoveById action is executed on per-transaction
>> basis and can only affect the transaction in which it executes.
> Hi Ivan,
> I still don't understand why you can't have a ctl:ruleRemoveByMsg action
> that is executed on a per-transaction basis.
You most certainly can. In fact, that's the only way to conditionally
remove a rule (which sounds like what you're after).
>> > Ideally, in this
>> > case, I'd like to create a single rule that first matches the effected
>> > parameter and then removes the rule based on the message. I guess I
>> > could
>> > still do that by chaining two rules together.
>> Yes, that sounds likely.
> I've been playing around with this and have hit a dead end. I created the
> following rule:
> SecRule REQUEST_URI "script.cfm"
> SecRule &FILES:Filename "@gt 0" chain
> SecRuleRemoveByMsg "Attempted multipart\/form-data bypass"
SecRuleRemoveByMsg is also not a rule and cannot be chained. It's a
configuration directive. You should be using the ctl: action in your
> but whenever that rule is uncommented I get the following error:
> Syntax error on line 21 of
> ModSecurity: Execution phases can only be specified by chain starter rules.
What's on line 21?
ModSecurity Handbook [https://www.feistyduck.com]
SSL Labs [https://www.ssllabs.com/ssldb/]
More information about the Owasp-modsecurity-core-rule-set