Team, I would appreciate your help. I would like to know if there is a possibility to BLOCK ONLY ONE rule in ModSecurity if it is configured to "Log Only" mode? Appreciate your help
With Best Regards, Praveen Nair, CISSP, CISM, CRISC IT Security Consultant Company Confidential -----Original Message----- From: owasp-modsecurity-core-rule-set-boun...@lists.owasp.org [mailto:owasp-modsecurity-core-rule-set-boun...@lists.owasp.org] On Behalf Of owasp-modsecurity-core-rule-set-requ...@lists.owasp.org Sent: Monday, October 22, 2012 8:00 AM To: owasp-modsecurity-core-rule-set@lists.owasp.org Subject: Owasp-modsecurity-core-rule-set Digest, Vol 43, Issue 10 Send Owasp-modsecurity-core-rule-set mailing list submissions to owasp-modsecurity-core-rule-set@lists.owasp.org To subscribe or unsubscribe via the World Wide Web, visit https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set or, via email, send a message with subject or body 'help' to owasp-modsecurity-core-rule-set-requ...@lists.owasp.org You can reach the person managing the list at owasp-modsecurity-core-rule-set-ow...@lists.owasp.org When replying, please edit your Subject line so it is more specific than "Re: Contents of Owasp-modsecurity-core-rule-set digest..." Today's Topics: 1. Re: encoding (Achim) ---------------------------------------------------------------------- Message: 1 Date: Sun, 21 Oct 2012 19:02:57 +0200 From: Achim <ow...@sic-sec.org> To: Iman Vakili <ivak...@yahoo.com> Cc: "owasp-modsecurity-core-rule-set@lists.owasp.org" <owasp-modsecurity-core-rule-set@lists.owasp.org> Subject: Re: [Owasp-modsecurity-core-rule-set] encoding Message-ID: <50842ac1.6020...@sic-sec.org> Content-Type: text/plain; charset=UTF-8 Hi, the encoding is not relevant as all is 7-bit US-ASCII accoding the specifications of HTTP. Anything else must be URL-encoded using %HH notation. You don't need to struggle with any character set. Consequentially all (most) rules detect non-ASCII and block, as it's considered harmful according specifications. Things can be different in multipart POST data. However, you can build your own rules to handle such characters if you want to make more detailed checks based on specific character sets. God luck Achim Am 21.10.2012 10:07, schrieb Iman Vakili: > > > Hi > > I have a big problem about how mod_security interpret other encodings > like iso-8859-1, when I'm sending non ASCII characters like characters > from other languages (e.g my name: ????? ) when the encoding page is > iso-8859-1(Western European, which is Firefox default browsing > encoding for example) then the data will encoded in html and then > transfer to the server (e.g myname: > ایمان), so I thought I can use > t:htmlentitydecode to handle the problem but when I was checking my > name I noticed that this transformation function does not work > properly, it changes my name to { '\xccE'F }. I think if the function > develop to change this kind of data to Unicode then it will be the > best (like the new utf8tounicode function) There are more problems for > example when there is a "windows-1256" encoded web application, my > name became: %C7%26%231740%3B%E3%C7%E4, in this encoding words doesn't > match with PCRE, for example we have \w regex in many rules, these > characters won't match to \w because of PCRE nature (which is ASCII or > UTF8 base), I recommend to write a transformation function for these > encodings too, > > Thanks and best regards > > ~IMAN ------------------------------ _______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set End of Owasp-modsecurity-core-rule-set Digest, Vol 43, Issue 10 *************************************************************** Barclaycard www.barclaycardus.com This email and any files transmitted with it may contain confidential and/or proprietary information. It is intended solely for the use of the individual or entity who is the intended recipient. Unauthorized use of this information is prohibited. If you have received this in error, please contact the sender by replying to this message and delete this material from any system it may be on. _______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
