On Wed, Sep 5, 2012 at 9:14 PM, Leonardo Bacha Abrantes < leona...@lbasolutions.com> wrote:
> Hi Josh, > > Please, help me! > > I used the rule below, but it is allowing everyone instead of 192.168.1.10. > > > SecRule REQUEST_URI "^/update.php" > id:1,phase:1,chain,allow,nolog,t:none,ctl:ruleEngine=off > SecRule REMOTE_ADDR "^192\.168\.1\.10$" t:none > > I'm looking for the solution in internet, but I didn't find any solution :( > > Hi Leonardo, When dealing with chained rules, non-disruptive actions are executed as soon as the rule matches. The ctl action is considered a non-disruptive action (examples of disruptive actions are: allow, deny. block etc.). That is why the ruleEngine is disabled anytime ModSecurity sees a request to /update.php (and the 2nd half of the chain isn't even considered). Try moving the ctl action to the latter half of your rule, e.g.: SecRule REQUEST_URI "^/update.php" id:1,phase:1,chain,allow,nolog,t:none SecRule REMOTE_ADDR "^192\.168\.1\.10$" t:none,ctl:ruleEngine=off -- - Josh
_______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
