Wouldn't that bypass all future rules from scanning that same HTTP transactions?
On Fri, Jun 12, 2015 at 9:44 AM Chaim Sanders <csand...@trustwave.com> wrote: > You could use the ‘ctl’ action to disable the engine after a certain > rule triggers, thereby skipping the rest of the checks. You could also > place this in a virtual host area if needed. > > > > SecRule REQUEST_URI "@contains /encryptedbit/" "phase:1,t:none,pass, > nolog,ctl:ruleEngine=Off” > > > > *Chaim Sanders * > > Security Researcher, SpiderLabs > > > > *Trustwave* | SMART SECURITY ON DEMAND > > www.trustwave.com > > > > *From:* owasp-modsecurity-core-rule-set-boun...@lists.owasp.org [mailto: > owasp-modsecurity-core-rule-set-boun...@lists.owasp.org] *On Behalf Of *Joshua > Roback > *Sent:* Friday, June 12, 2015 9:16 AM > *To:* owasp-modsecurity-core-rule-set@lists.owasp.org > *Subject:* [Owasp-modsecurity-core-rule-set] Ignore URI From Scanning > > > > Hello Group, > > I'm come across an issue in which I'll be using ModSecurity to protect a > site with an encrypted URI. For the sake of reducing false positives, what > would be the most effective way to omit the URI from scanning but continue > to scan other HTTP header fields and all payloads? > > ------------------------------ > > This transmission may contain information that is privileged, > confidential, and/or exempt from disclosure under applicable law. If you > are not the intended recipient, you are hereby notified that any > disclosure, copying, distribution, or use of the information contained > herein (including any reliance thereon) is strictly prohibited. If you > received this transmission in error, please immediately contact the sender > and destroy the material in its entirety, whether in electronic or hard > copy format. >
_______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
