One potential bypass issue - Cookies. This was an issue in the SQL injection challenge.
I guess we could add a check to make sure there are no cookies either. If so, we should run the request through normal inspection. Ryan On Feb 15, 2012, at 5:25 PM, "Ryan Barnett" <rbarn...@trustwave.com<mailto:rbarn...@trustwave.com>> wrote: I would like to update the logic of the this ruleset - http://mod-security.svn.sourceforge.net/viewvc/mod-security/crs/trunk/optional_rules/modsecurity_crs_10_ignore_static.conf The concept is that rather than audit log all transactions (with SecAuditLog On), you want to exclude logging requests for static resources. The trick is that we need to try and ensure that the attack surface is significantly reduced. In order to do that, I am testing this updated ruleset - SecRule REQUEST_METHOD "@pm GET HEAD" "id:'999001',chain,phase:1,t:none,nolog,pass" SecRule REQUEST_URI "!@contains ?" "chain" SecRule &ARGS "@eq 0" "chain" SecRule &REQUEST_HEADERS:Content-Length|&REQUEST_HEADERS:Content-Type "@eq 0" "ctl:ruleEngine=Off,ctl:auditEngine=Off" This rule checks the following - 1. That the request method is either a GET or HEAD. If it is anything else, they it should probably be logged as it is a dynamic request method looking to alter data. 2. Verifies that there is no query string by checking for ? Char in the URI. 3. Verifies that there are no ARGS being passed 4. Verifies that there is no request body by checking for the existence of Content-Length and Content-Type request headers. If all of these rules match, then the ctl actions are used to toggle off both the audit and rule engines. Does anyone have any feedback on this updated ruleset? Any improvements? Thanks. -- Ryan Barnett Trustwave SpiderLabs ModSecurity Project Leader OWASP ModSecurity CRS Project Leader ________________________________ This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. _______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
