thank you very much Rian for all clarifications, there were some other typos I have found along the files, shall I spot them all?
On Thu, Dec 8, 2011 at 11:25 PM, Ryan Barnett <[email protected]>wrote: > > > On 12/6/11 9:31 PM, "Tzury Bar Yochay" <[email protected]> wrote: > > >While going through rule files i have gathered few questions which I > >will appreciate if someone can help me with them. > > > >1) I have seen several cases where setvar is stated without the right > >part, e.g. > > > > SecRule TX:'/MISSING_HEADER_/' "TX\:(.*)" > >"capture,t:none,setvar:!tx.%{tx.1}" > > > > I wonder what it means, as normally, set is in the form of x = y, > >and not x, or !x in this case. > > This is the syntax to remove a TX variable entirely. > > > > >2) There seems to be a typo at line: > > > > SecRule REQUEST_LINE "^GET /$" > >"chain,phase:2,id:981020',t:none,pass,nolog" > > > > There is a trailing apostrophe (') after the id > > There actually should have been a single quote at the beginning of the id > data like this - id:'981020'. I fixed it locally and it will be updated > in SNV soon. > > > > > >3) Few days ago I asked the following question but yet not got answer for > > When I see a rule such as > > > > SecRule ARGS:&category "(?i:SELECT.+FROM)" > >"ctl:auditLogParts=+..." > > > > I wonder what is the role of the ampersand, before the category, so > > far I know, '&' means counting operatoration and usually, it follows > > by a numeric operation, e.g. @eq, @ge and alike. > > > > However, this is a case where I see & which followed by an implicit > >'@rx' > > This was a bug in the snort2modsec.pl script. The & should have been > removed when creating the SecRule. I will take a look. > > -Ryan > > > > > > >Thanks in advance for your help, > >Tzury > >_______________________________________________ > >Owasp-modsecurity-core-rule-set mailing list > >[email protected] > >https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set > > > > > This transmission may contain information that is privileged, > confidential, and/or exempt from disclosure under applicable law. If you > are not the intended recipient, you are hereby notified that any > disclosure, copying, distribution, or use of the information contained > herein (including any reliance thereon) is STRICTLY PROHIBITED. If you > received this transmission in error, please immediately contact the sender > and destroy the material in its entirety, whether in electronic or hard > copy format. > >
_______________________________________________ Owasp-modsecurity-core-rule-set mailing list [email protected] https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
