'Re: [mod-security-users] controlling modSecurity dynamically via'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       mod-security-users
Subject:    Re: [mod-security-users] controlling modSecurity dynamically via
From:       Ryan Barnett <RBarnett () trustwave ! com>
Date:       2011-08-09 16:43:32
Message-ID: CA66DB6C.2E881%rbarnett () trustwave ! com
[Download RAW message or body]

Yes, the file numbering is relevant.  Due to the fact that most people using Apache \
wild-carding when calling up the conf files, we needed a way to ensure that they are \
run in this specific order.  Some rules files rely upon data from other files.  As \
you mentioned – the 15 custom rules files are useful for whitelisting IP addresses \
and conditional exceptions,  etc… while the 60 custom rules file is good for updating \
current rules for explicit exceptions.

-Ryan

From: "Administrator Beckspaced.com" \
                <admin@beckspaced.com<mailto:admin@beckspaced.com>>
Reply-To: "admin@beckspaced.com<mailto:admin@beckspaced.com>" \
                <admin@beckspaced.com<mailto:admin@beckspaced.com>>
Date: Tue, 9 Aug 2011 11:30:11 -0500
To: Christian Bockermann <chris@jwall.org<mailto:chris@jwall.org>>
Cc: "mod-security-users@lists.sourceforge.net<mailto:mod-security-users@lists.sourceforge.net>" \
<mod-security-users@lists.sourceforge.net<mailto:mod-security-users@lists.sourceforge.net>>
                
Subject: Re: [mod-security-users] controlling modSecurity dynamically via SetEnvIf \
MODSEC_ENABLE

hi chris,

you're a star ;-) that worked perfectly ...

created a custom rule file -> modsecurity_crs_15_customrules.conf
inserted the rule you gave me ...
did a symlink to the 'activated_rules' folder

and yep ... no more false positive on the image ... awesome ;-)

just another quick question if that is ok with you?
i'm not a modSecurity expert ... but do those increasing number in the .conf files \
have a meaning?

e.g. _41_sql_injection ... _35_bad_robots ... etc ...

does the number has something to do in which order the config files are loaded?
or is that just for internal indexing purpose?

does it make a difference if my custom rules conf is named _60_customrules.conf or \
_15_customrules.conf or _10_customrules.conf

just curious and thought i would ask

anyway ... thanks a lot for your brilliant help.
it worked and now i'm happy again ;-)

greetings
becki

On 8/9/2011 17:52, Christian Bockermann wrote:

Hi becki,

the easiest way to accomplish that is probably by using the "ctl" action
of ModSecurity and matching the REQUEST_URI variable:

    SecRule REQUEST_URI "\.(gif|jpg|png)$"  "phase:1,pass,ctl:ruleEngine=off"


This will switch off the rule-engine for all requests matching image
file names.

Best regards,
    Chris


Am 09.08.2011 um 16:54 schrieb Administrator Beckspaced.com:



hello there,

installed the newest modSecurity 2.6.1 on a apache 2.2.17 and all works fine

BUT ... somehow an SQL injection core rule catches a false positive on a simple GET \
/path/to/dir/haadyaodivers.jpg

which is actually indeed strange ... because if i change the picture name from \
haadyaodivers.jpg to e.g. hyd.jpg then all is fine and i don't get a false positive

well ... so i thought the best would be to just dynamically disable modsecurity via \
apache's SetEnvIf / SetEnvIfNoCase and the MODSEC_ENABLE variable

this is something i found via google, but refers to an older modsecurity v. 1.9.3

but i think it must also be possible with the newest 2.6.1?

so i made sure that apache loads the 'env' and 'setenvif' modules ...
modified the http.conf and inserted ->

SetEnvIfNoCase Request_URI "\.gif$" MODSEC_ENABLE=off
SetEnvIfNoCase Request_URI "\.jpg$" MODSEC_ENABLE=off
SetEnvIfNoCase Request_URI "\.png$" MODSEC_ENABLE=off

did an apache2 restart

but the core rule still catches with the .jpg image even though i told modSecurity \
NOT TO!

so ... i'm basically going nuts here and i'm not sure if this still works with the \
2.6.1 version

and hint or help on how to disable modSecurity for image GET requests would be highly \
appreciated

thanks a million & all the best
becki

------------------------------------------------------------------------------
uberSVN's rich system and user administration capabilities and model
configuration take the hassle out of deploying and managing Subversion and the tools \
developers use with it. Learn more about uberSVN and get a free download at:  \
http://p.sf.net/sfu/wandisco-dev2dev _______________________________________________
mod-security-users mailing list
mod-security-users@lists.sourceforge.net<mailto:mod-security-users@lists.sourceforge.net>https://lists.sourceforge.net/lists/listinfo/mod-security-users
 ModSecurity Services from Trustwave's SpiderLabs:
https://www.trustwave.com/spiderLabs.php


--
Beckspaced.com - WebDesign, Hosting & Solutions

CEO Becki Beckmann

Marienplatz 9
97353 Wiesentheid
Germany
Phone: 09383-425

P.O. Box 15
Thongsala
84280 Koh Phangan
Suratthani / Thailand
Phone: 077-377 733
Mobile: 087-2828826

----------------------------------------------
Optimism is only a lack of information!
----------------------------------------------

WebDesign & Hosting - http://beckspaced.com - Are You Beckspaced?
Phangan Independent News - http://kohphangannews.org - The Awful Truth!


________________________________
This transmission may contain information that is privileged, confidential, and/or \
exempt from disclosure under applicable law. If you are not the intended recipient, \
you are hereby notified that any disclosure, copying, distribution, or use of the \
information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. \
If you received this transmission in error, please immediately contact the sender and \
destroy the material in its entirety, whether in electronic or hard copy format.


------------------------------------------------------------------------------
uberSVN's rich system and user administration capabilities and model 
configuration take the hassle out of deploying and managing Subversion and 
the tools developers use with it. Learn more about uberSVN and get a free 
download at:  http://p.sf.net/sfu/wandisco-dev2dev
_______________________________________________
mod-security-users mailing list
mod-security-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
ModSecurity Services from Trustwave's SpiderLabs:
https://www.trustwave.com/spiderLabs.php


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic