headers
David R | 25 Jul 2012 00:50

SecRule syntaxes

Hello, 

I wondered how i could for example:

Whitelist the "param" argument for the url /prout.php on the vhost www.host.com
from 950901 rule id.

The maximum that i am able to do is:

SecRule REQUEST_HEADERS:Host "www.host.com$" 
"phase:1,t:none,nolog,pass,ctl:ruleRemoveById=950109;ARGS:param"

How could i include the REQUEST_URI "^/prout\.php" to that request ?

My other question is regarding performqnces, is there any advantage to write a 
rule like this one:
SecRule REQUEST_HEADERS:Host "www.host.com$" 
"phase:1,t:none,nolog,pass,ctl:ruleRemoveById=981173,ctl:ruleRemoveById=950901,c
tl:ruleRemoveById=950109,ctl:ruleRemoveById=950117;ARGS:param"

Will the previous rule work and will it impact performances in a good or bad way 
?

Thank you for your responses.

Kind regards

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
(Continue reading)

Permalink | Reply |
headers
Josh Amishav-Zlatin | 25 Jul 2012 21:58
Picon

Re: SecRule syntaxes

On Wed, Jul 25, 2012 at 1:50 AM, David R <rewt <at> linux-elite.org> wrote:
Hello,

I wondered how i could for example:

Whitelist the "param" argument for the url /prout.php on the vhost www.host.com
from 950901 rule id.

The maximum that i am able to do is:

SecRule REQUEST_HEADERS:Host "www.host.com$"
"phase:1,t:none,nolog,pass,ctl:ruleRemoveById=950109;ARGS:param"

How could i include the REQUEST_URI "^/prout\.php" to that request ?

Hi David,

The ruleRemoveById just takes a rule id as a parameter, the SecRuleUpdateTargetById directive lets you white list certain parameters for a given rule. While you can chain rules together to add the REQUEST_URI parameter condition, you can also use Apache Location directives as well, e.g.:

SecRule REQUEST_HEADERS:Host "www.host.com" "phase:1,t:none, \
  nolog,id:1,chain,pass,ctl:ruleUpdateTargetById=950109!ARGS:param"
  SecRule REQUEST_URI "^/prout\.php"

or 

<Location /prout.php>
  SecRule REQUEST_HEADERS:Host "www.host.com" "phase:1,t:none, \
    nolog,id:1,pass,ctl:ruleUpdateTargetById=950109!ARGS:param"
</Location>

--
 - Josh
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/
Permalink | Reply |
headers
David R | 26 Jul 2012 08:44

Re: SecRule syntaxes

Thank you so much for this clear, perfect reply.

But does it mean that this rule will not work/being effective on the MYPARAM 
argument ?

SecRule REQUEST_FILENAME " <at> streq /path/to/a/file" 
"phase:1,t:none,nolog,pass,ctl:ruleRemoveById=981173;ARGS:MYPARAM"

and about this one ?:

SecRule REQUEST_HEADERS:Host "www.host.com$" 
"phase:1,t:none,nolog,pass,ctl:ruleRemoveById=9811
73,ctl:ruleRemoveById=950901,ctl:ruleRemoveById=950109,ctl:ruleRemoveById=950117;
ARGS:referer"

Thanks again for your response

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/
Permalink | Reply |

Gmane