headers
Nick Gearls | 4 Jul 10:49

Disabling rules for one argument

Hello,

I have a rule like
    SecRule ARGS "bad pattern" "id:10000,..."
and I'd like to disable it for one specific argument

I tried
    SecRule ARGS:name  "phase:2,t:none,allow,nolog,ctl:ruleRemoveById=10000"

but it doesn't work

Any idea ?

Thanks,

Nick

-------------------------------------------------------------------------
Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW!
Studies have shown that voting for your favorite open source project,
along with a healthy diet, reduces your potential for chronic lameness
and boredom. Vote Now at http://www.sourceforge.net/community/cca08
Permalink | Reply |
headers
Ryan Barnett | 4 Jul 14:43

Re: Disabling rules for one argument

Perhaps I am not understanding your issue, but you can simply add an inverted variable (with the specific
argument name) to the variable list to exclude it -

SecRule ARGS|!ARGS:name "bad pattern" ...

Thanks,
Ryan C. Barnett 

----- Original Message -----
From: mod-security-users-bounces <at> lists.sourceforge.net <mod-security-users-bounces <at> lists.sourceforge.net>
To: mod-security-users <at> lists.sourceforge.net <mod-security-users <at> lists.sourceforge.net>
Sent: Fri Jul 04 04:50:36 2008
Subject: [mod-security-users] Disabling rules for one argument

Hello,

I have a rule like
    SecRule ARGS "bad pattern" "id:10000,..."
and I'd like to disable it for one specific argument

I tried
    SecRule ARGS:name  "phase:2,t:none,allow,nolog,ctl:ruleRemoveById=10000"

but it doesn't work

Any idea ?

Thanks,

Nick
(Continue reading)

Permalink | Reply |
headers
Nick Gearls | 4 Jul 17:03

Re: Disabling rules for one argument

Obviously, I was not specific enough.

I want to create a rule for all arguments at the global level, then, 
inside a sub-location, disable it for one specific argument.
Ex:
	SecRule ARGS "bad pattern" "id:10000,..."
	...
	<Location ...>
	 SecRule ARGS:name \
	   "phase:2,t:none,allow,nolog,ctl:ruleRemoveById=10000"
	</Location>

Nick

Ryan Barnett wrote:
> Perhaps I am not understanding your issue, but you can simply add an inverted variable (with the specific
argument name) to the variable list to exclude it -
> 
> SecRule ARGS|!ARGS:name "bad pattern" ...
> 
> Thanks,
> Ryan C. Barnett 
> 
> ----- Original Message -----
> From: mod-security-users-bounces <at> lists.sourceforge.net <mod-security-users-bounces <at> lists.sourceforge.net>
> To: mod-security-users <at> lists.sourceforge.net <mod-security-users <at> lists.sourceforge.net>
> Sent: Fri Jul 04 04:50:36 2008
> Subject: [mod-security-users] Disabling rules for one argument
> 
> Hello,
(Continue reading)

Permalink | Reply |
headers
Christian Bockermann | 4 Jul 18:04

Re: Disabling rules for one argument

Nick Gearls schrieb:
> Obviously, I was not specific enough.
>
> I want to create a rule for all arguments at the global level, then, 
> inside a sub-location, disable it for one specific argument.
> Ex:
> 	SecRule ARGS "bad pattern" "id:10000,..."
> 	...
> 	<Location ...>
> 	 SecRule ARGS:name \
> 	   "phase:2,t:none,allow,nolog,ctl:ruleRemoveById=10000"
> 	</Location>
>
> Nick
>   
You need to take care of a few things here:

   (1) If you specify "ctl:ruleRemoveById" in phase 2 and rule with id 
10000 is a phase 1
       rule, then removal will take place after rule 10000 has already 
been applied.

   (2) In your sample above, if you remove the rule 10000 in dependency 
of a "name"
         parameter, you will also loose the check of all the other 
parameters in case a
        "name" parameter is present.

So together you have a catch-22 rule.
The straigt-forward solution would be what Ryan sort of suggested:
(Continue reading)

Permalink | Reply |
headers
Ryan Barnett | 4 Jul 19:45

Re: Disabling rules for one argument

> -----Original Message-----
> From: Nick Gearls [mailto:nickgearls <at> gmail.com]
> Sent: Friday, July 04, 2008 11:04 AM
> To: Ryan Barnett
> Cc: mod-security-users <at> lists.sourceforge.net
> Subject: Re: [mod-security-users] Disabling rules for one argument
> 
> Obviously, I was not specific enough.
> 
> I want to create a rule for all arguments at the global level, then,
> inside a sub-location, disable it for one specific argument.
> Ex:
> 	SecRule ARGS "bad pattern" "id:10000,..."
> 	...
> 	<Location ...>
> 	 SecRule ARGS:name \
> 	   "phase:2,t:none,allow,nolog,ctl:ruleRemoveById=10000"
> 	</Location>
> 
[Ryan Barnett] Thanks for clarifying.  This is a bit of a tricky one :)
In order to get the rule logic that you want, you will most likely need
to use some combination of skip actions.  Here is an example rule set
that should work (not tested though) -

SecRule REQUEST_FILENAME "^/location/path/"
"chain,phase:2,id:10000,deny"
SecRule ARGS|!ARGS:name "bad pattern"
SecRule REQUEST_FILENAME "^/location/path/" "phase:2,nolog,pass,skip:1"
SecRule ARGS "bad pattern" "phase:2,id:10001,..."
(Continue reading)

Permalink | Reply |
headers
Nick Gearls | 7 Jul 10:33

Re: Disabling rules for one argument

Thanks Barnett,
I was a bit afraid beforehand about the answer ;-)

If I understand correctly, there is no way, for example, to remove a 
core rule check for one argument without modifying the core rule,
right ?

How does the ctl:ruleRemoveById rule work exactly ?
I suppose it is evaluated
  1. either before the id rule is defined
         -> id was not defined
         -> ignored
  2. or after the id rule is defined
         -> the request was already blocked
         -> never reached

Regards,

Nick

Ryan Barnett wrote:
>> -----Original Message-----
>> From: Nick Gearls [mailto:nickgearls <at> gmail.com]
>> Sent: Friday, July 04, 2008 11:04 AM
>> To: Ryan Barnett
>> Cc: mod-security-users <at> lists.sourceforge.net
>> Subject: Re: [mod-security-users] Disabling rules for one argument
>>
>> Obviously, I was not specific enough.
>>
(Continue reading)

Permalink | Reply |
headers
Nick Gearls | 7 Jul 10:53

Re: Disabling rules for one argument

Btw, isn't it possible to define a dynamic rule (generic), like
	SecRule ARGS|!ARGS:xxx "bad pattern"
where xxx is defined, either via a transaction data or an environment 
variable ?

Thanks,
Regards,

Nick

Nick Gearls wrote:
> Thanks Barnett,
> I was a bit afraid beforehand about the answer ;-)
> 
> If I understand correctly, there is no way, for example, to remove a 
> core rule check for one argument without modifying the core rule,
> right ?
> 
> How does the ctl:ruleRemoveById rule work exactly ?
> I suppose it is evaluated
>  1. either before the id rule is defined
>         -> id was not defined
>         -> ignored
>  2. or after the id rule is defined
>         -> the request was already blocked
>         -> never reached
> 
> 
> Regards,
>
(Continue reading)

Permalink | Reply |
headers
Brian Rectanus | 7 Jul 18:08

Re: Disabling rules for one argument

Nick Gearls wrote:
> Thanks Barnett,
> I was a bit afraid beforehand about the answer ;-)
> 
> If I understand correctly, there is no way, for example, to remove a
> core rule check for one argument without modifying the core rule,
> right ?

To some degree.  It is a needed feature ;)

You can remove the rule and write a replacement, but it is a config
time, not a runtime feature (ie you must use SecRuleRemoveById vs
ctl:ruleRemoveById).  But, doing this, you do not have to touch the
actual core rule file unless you need the rule in the same order.

> How does the ctl:ruleRemoveById rule work exactly ?
> I suppose it is evaluated
>   1. either before the id rule is defined
>          -> id was not defined
>          -> ignored
>   2. or after the id rule is defined
>          -> the request was already blocked
>          -> never reached

The ctl actions are evaluated at runtime.  So, in this case, it builds a
list of rule IDs to remove.  if it comes accross one of those rules in
the future, then it is just skipped.  So, you need the
ctl:ruleRemoveById=N rule to be executed *before* the rule N.

Note, that the ctl:ruleRemoveById action does handle prior removal of
(Continue reading)

Permalink | Reply |
headers
Nick Gearls | 8 Jul 13:08

Re: Disabling rules for one argument

There could potentially be a solution.
Is there any way to use a transaction/environment variable inside a
check, like
	SecRule ARGS|!ARGS:'/%{tx.ignored}/'  ...

That would be one way of achieving the result, at least in some
circumstances

Nick

Brian Rectanus wrote:
> Nick Gearls wrote:
>> Thanks Barnett,
>> I was a bit afraid beforehand about the answer ;-)
>>
>> If I understand correctly, there is no way, for example, to remove a
>> core rule check for one argument without modifying the core rule,
>> right ?
> 
> 
> To some degree.  It is a needed feature ;)
> 
> You can remove the rule and write a replacement, but it is a config
> time, not a runtime feature (ie you must use SecRuleRemoveById vs
> ctl:ruleRemoveById).  But, doing this, you do not have to touch the
> actual core rule file unless you need the rule in the same order.
> 
> 
>> How does the ctl:ruleRemoveById rule work exactly ?
>> I suppose it is evaluated
(Continue reading)

Permalink | Reply |
headers
Brian Rectanus | 9 Jul 00:52

Re: Disabling rules for one argument

Nick Gearls wrote:
> There could potentially be a solution.
> Is there any way to use a transaction/environment variable inside a
> check, like
>         SecRule ARGS|!ARGS:'/%{tx.ignored}/'  ...
> 
> That would be one way of achieving the result, at least in some
> circumstances
> 
> Nick

1) /.../ is a regex and pre-compiled, so macro expansion would only
happen at compile time.
2) No macro expansion is allowed in the TARGET (yet). ;)

-B

> 
> 
> Brian Rectanus wrote:
>> Nick Gearls wrote:
>>> Thanks Barnett,
>>> I was a bit afraid beforehand about the answer ;-)
>>>
>>> If I understand correctly, there is no way, for example, to remove a
>>> core rule check for one argument without modifying the core rule,
>>> right ?
>>
>>
>> To some degree.  It is a needed feature ;)
(Continue reading)

Permalink | Reply |

Gmane