Hello Luiz, Seems no one mentioned that the rule should be "placed" after the rule your are going to disable. Therefore, according to the CRS repository, we can find the rule with the id "960009" is located in "modsecurity_crs_21_protocol_anomalies.conf". You have to put your whitelist rule after it, thus, you may create a file named "mod security_crs_60_disable_rid.conf" and put your whitelist rule into it. While the rule file is ready, you can restart your web server and everything should works well.
-- BR, Morris On Sat, May 16, 2015, at 07:53 AM, Guilherme Y wrote: > Tks Chaim! But now I really got confused. I am tring to use this line: > > SecRule REMOTE_ADDR "@ipMatch 999.99.99.99" > "id:1000,phase:2,t:none,pass,ctl:ruleRemoveById=960009" You´re telling > me to use this: > > "ctl:ruleRemoveById=960009,id:1000,phase:2,t:none,pass"SecRule > REMOTE_ADDR "@ipMatch 999.99.99.99" YIs this right? I probably got it > all wrong.... Tks a lot! Best regards! Luiz > > > From: csand...@trustwave.com To: asiaya...@hotmail.com; > barry_poll...@hotmail.com; > owasp-modsecurity-core-rule-set@lists.owasp.org Subject: Re: > [Owasp-modsecurity-core-rule-set] Rule 960009 generates false > positives from my own server IP Date: Fri, 15 May 2015 16:48:07 +0000 > > ctl:ruleRemoveById must appear BEFORE the rule in question. Where as > SecRuleRemoveByID must appear after. See the excerpt from this issue > (https://github.com/SpiderLabs/ModSecurity/issues/209). Hope this isn’t too confusing :) > > > *From: *Guilherme Y <asiaya...@hotmail.com> *Date: *Friday, May 15, > 2015 at 10:51 AM *To: *Barry Pollard <barry_poll...@hotmail.com>, > "owasp-modsecurity-core-rule-set@lists.owasp.org" > <owasp-modsecurity-core-rule-set@lists.owasp.org> *Subject: *Re: > [Owasp-modsecurity-core-rule-set] Rule 960009 generates false > positives from my own server IP > > ctl:ruleRemoveById > > This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. > _________________________________________________ > Owasp-modsecurity-core-rule-set mailing list > Owasp-modsecurity-core-rule-set@lists.owasp.org > https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
_______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
