Matt, What version of ModSecurity are you using? Since you don't need to do this conditionally based on request data, you could try just using the directive to remove it vs using the ctl action. Just make sure to our this in a custom Ruke file that is read AFTER the other rules.
The ctl action should work but you might want to try the directive instead. -- Ryan Barnett On Jan 31, 2013, at 7:27 PM, "Matt Mitchell" <mmitch...@backstopsolutions.com> wrote: > Hey gang, > > I know this isn't a CRS issue per se, but I thought you might have some > insight before I either dig through the mod_security code or ask them how I > should do this. > > Our application occasionally wants to accept stuff that looks scary, like > HTML, from certain form submissions. After some thought, I figured the best > way to do this was to make a small change to the application to put "html" in > the parameter name, and then use ctl:secRemoveTargetById to whitelist those > rules on the way through the CRS rule set. > > Here's what I tried first, for one particular rule 973333: > SecRule REQUEST_URI "." > id:1000200,phase:2,pass,ctl:ruleRemoveTargetById=973333;ARGS:/[Hh]tml/ > > But it doesn't seem to work. Everything is being treated as normal. > > I've used that REQUEST_URI-matching-anything idiom in other rules, so I don't > think that is failing to match. My intention is to remove 973333 for only > those arguments that match the regex. Anyone have any suggestions for me, or > attempt something similar? If I can get this rule working, I'd then expect to > have additional rules removing other targets that look basically the same. > > Thanks in advance -- > > -m > _______________________________________________ > Owasp-modsecurity-core-rule-set mailing list > Owasp-modsecurity-core-rule-set@lists.owasp.org > https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set > ________________________________ This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. _______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
