Ryan, I'm on 2.7.1.
By "directive" I assume you mean something like SecRuleUpdateTargetById? Along these lines? SecRuleUpdateTargetById 973333 !ARGS:/[Hh]tml/ I'll give that a shot. Other ideas welcome. -m On 1/31/13 7:06 PM, "Ryan Barnett" <rbarn...@trustwave.com> wrote: >Matt, >What version of ModSecurity are you using? > >Since you don't need to do this conditionally based on request data, you >could try just using the directive to remove it vs using the ctl action. >Just make sure to our this in a custom Ruke file that is read AFTER the >other rules. > >The ctl action should work but you might want to try the directive >instead. > >-- >Ryan Barnett > >On Jan 31, 2013, at 7:27 PM, "Matt Mitchell" ><mmitch...@backstopsolutions.com> wrote: > >> Hey gang, >> >> I know this isn't a CRS issue per se, but I thought you might have some >>insight before I either dig through the mod_security code or ask them >>how I should do this. >> >> Our application occasionally wants to accept stuff that looks scary, >>like HTML, from certain form submissions. After some thought, I figured >>the best way to do this was to make a small change to the application to >>put "html" in the parameter name, and then use ctl:secRemoveTargetById >>to whitelist those rules on the way through the CRS rule set. >> >> Here's what I tried first, for one particular rule 973333: >> SecRule REQUEST_URI "." >>id:1000200,phase:2,pass,ctl:ruleRemoveTargetById=973333;ARGS:/[Hh]tml/ >> >> But it doesn't seem to work. Everything is being treated as normal. >> >> I've used that REQUEST_URI-matching-anything idiom in other rules, so I >>don't think that is failing to match. My intention is to remove 973333 >>for only those arguments that match the regex. Anyone have any >>suggestions for me, or attempt something similar? If I can get this rule >>working, I'd then expect to have additional rules removing other targets >>that look basically the same. >> >> Thanks in advance -- >> >> -m >> _______________________________________________ >> Owasp-modsecurity-core-rule-set mailing list >> Owasp-modsecurity-core-rule-set@lists.owasp.org >> https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set >> > >________________________________ > >This transmission may contain information that is privileged, >confidential, and/or exempt from disclosure under applicable law. If you >are not the intended recipient, you are hereby notified that any >disclosure, copying, distribution, or use of the information contained >herein (including any reliance thereon) is STRICTLY PROHIBITED. If you >received this transmission in error, please immediately contact the >sender and destroy the material in its entirety, whether in electronic or >hard copy format. > _______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
