You could use the ‘ctl’ action to disable the engine after a certain rule triggers, thereby skipping the rest of the checks. You could also place this in a virtual host area if needed.
SecRule REQUEST_URI "@contains /encryptedbit/" "phase:1,t:none,pass, nolog,ctl:ruleEngine=Off” Chaim Sanders Security Researcher, SpiderLabs Trustwave | SMART SECURITY ON DEMAND www.trustwave.com<http://www.trustwave.com/> From: owasp-modsecurity-core-rule-set-boun...@lists.owasp.org [mailto:owasp-modsecurity-core-rule-set-boun...@lists.owasp.org] On Behalf Of Joshua Roback Sent: Friday, June 12, 2015 9:16 AM To: owasp-modsecurity-core-rule-set@lists.owasp.org Subject: [Owasp-modsecurity-core-rule-set] Ignore URI From Scanning Hello Group, I'm come across an issue in which I'll be using ModSecurity to protect a site with an encrypted URI. For the sake of reducing false positives, what would be the most effective way to omit the URI from scanning but continue to scan other HTTP header fields and all payloads? ________________________________ This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.
_______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
