Apache mod-security

Abey Thomas | 10 Feb 16:16

ignore http header

Hi all,

I currently have a problem with a mod security installation when a http header is constantly triggering an exception. I was wondering if

The header starts with Origin:https://mail-... and the word /mail is triggering the block. Was wondering if there is a way to make WAF ignore all request header named "Origin" but still make waf trigger if the POSTed data contains "/mail-.."

Regards,
Abey

------------------------------------------------------------------------------
Virtualization & Cloud Management Using Capacity Planning
Cloud computing makes use of virtualization - but cloud computing 
also focuses on allowing computing to be delivered as a service.
http://www.accelacomm.com/jaw/sfnl/114/51521223/

_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/

headers

Ryan Barnett | 10 Feb 16:44

Re: ignore http header

Please reference the document for the SecRuleUpdateTargetById (and it's ctl action option) - http://sourceforge.net/apps/mediawiki/mod-security/index.php?title=Reference_Manual#SecRuleUpdateTargetById

You should be able to use this rule -

SecRule REQUEST_HEADERS:Origin "@beginsWith https://mail" "phase:1,t:none,nolog,pass,ctl:ruleUpdateTargetById=959006;!REQUEST_HEADERS:Origin"

Add this rule to a local modsecurity_crs_15_custom.conf rules file so that it runs before the normal CRS rules.

--
Ryan Barnett

From: Abey Thomas <abeyth <at> gmail.com<mailto:abeyth <at> gmail.com>>
Date: Fri, 10 Feb 2012 09:16:15 -0600
To:
"mod-security-users <at> lists.sourceforge.net<mailto:mod-security-users <at> lists.sourceforge.net>" <mod-security-users <at> lists.sourceforge.net<mailto:mod-security-users <at> lists.sourceforge.net>>
Subject: [mod-security-users] ignore http header

Hi all,

I currently have a problem with a mod security installation when a http header is constantly triggering an
exception. I was wondering if

The header starts with  Origin:https://mail-... and the word /mail is triggering the block. Was wondering
if there is a way to make WAF ignore all request header named "Origin" but still make waf trigger if the
POSTed data contains "/mail-.."

Regards,
Abey

________________________________
This transmission may contain information that is privileged, confidential, and/or exempt from
disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any
disclosure, copying, distribution, or use of the information contained herein (including any reliance
thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately
contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.

------------------------------------------------------------------------------
Virtualization & Cloud Management Using Capacity Planning
Cloud computing makes use of virtualization - but cloud computing 
also focuses on allowing computing to be delivered as a service.
http://www.accelacomm.com/jaw/sfnl/114/51521223/
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/

headers

Abey Thomas | 10 Feb 16:57

Re: ignore http header

Hi Ryan,

Thanks for the quick response. I reference the manual and ruleUpdateTargetById is only for v2.6 . I guess i will upgrade mine soon.

Regards,
Abey

On Fri, Feb 10, 2012 at 3:44 PM, Ryan Barnett <RBarnett <at> trustwave.com> wrote:

Please reference the document for the SecRuleUpdateTargetById (and it's ctl action option) - http://sourceforge.net/apps/mediawiki/mod-security/index.php?title=Reference_Manual#SecRuleUpdateTargetById

You should be able to use this rule -

SecRule REQUEST_HEADERS:Origin " <at> beginsWith https://mail" "phase:1,t:none,nolog,pass,ctl:ruleUpdateTargetById=959006;!REQUEST_HEADERS:Origin"

Add this rule to a local modsecurity_crs_15_custom.conf rules file so that it runs before the normal CRS rules.

--
Ryan Barnett

From: Abey Thomas <abeyth <at> gmail.com<mailto:abeyth <at> gmail.com>>
Date: Fri, 10 Feb 2012 09:16:15 -0600
To: "mod-security-users <at> lists.sourceforge.net<mailto:mod-security-users <at> lists.sourceforge.net>" <mod-security-users <at> lists.sourceforge.net<mailto:mod-security-users <at> lists.sourceforge.net>>
Subject: [mod-security-users] ignore http header

Hi all,

I currently have a problem with a mod security installation when a http header is constantly triggering an exception. I was wondering if

The header starts with Origin:https://mail-... and the word /mail is triggering the block. Was wondering if there is a way to make WAF ignore all request header named "Origin" but still make waf trigger if the POSTed data contains "/mail-.."

Regards,
Abey

________________________________
This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.

--
Regards,
Abey Babu Thomas

------------------------------------------------------------------------------
Virtualization & Cloud Management Using Capacity Planning
Cloud computing makes use of virtualization - but cloud computing 
also focuses on allowing computing to be delivered as a service.
http://www.accelacomm.com/jaw/sfnl/114/51521223/

_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/