That will cause all rules to be skipped every time that rule is triggered which will be whenever there is a request that matches that rule. If you want to skip it altogether you can only run ModSec rules on a particular <Location> (see the following example: https://www.digitalocean.com/community/tutorials/how-to-set-up-mod_security-with-apache-on-debian-ubuntu)
Chaim Sanders Security Researcher, SpiderLabs Trustwave | SMART SECURITY ON DEMAND www.trustwave.com<http://www.trustwave.com/> From: Joshua Roback [mailto:jrob...@gmail.com] Sent: Friday, June 12, 2015 9:57 AM To: Chaim Sanders; owasp-modsecurity-core-rule-set@lists.owasp.org Subject: Re: [Owasp-modsecurity-core-rule-set] Ignore URI From Scanning Wouldn't that bypass all future rules from scanning that same HTTP transactions? On Fri, Jun 12, 2015 at 9:44 AM Chaim Sanders <csand...@trustwave.com<mailto:csand...@trustwave.com>> wrote: You could use the ‘ctl’ action to disable the engine after a certain rule triggers, thereby skipping the rest of the checks. You could also place this in a virtual host area if needed. SecRule REQUEST_URI "@contains /encryptedbit/" "phase:1,t:none,pass, nolog,ctl:ruleEngine=Off” Chaim Sanders Security Researcher, SpiderLabs Trustwave | SMART SECURITY ON DEMAND www.trustwave.com<http://www.trustwave.com/> From: owasp-modsecurity-core-rule-set-boun...@lists.owasp.org<mailto:owasp-modsecurity-core-rule-set-boun...@lists.owasp.org> [mailto:owasp-modsecurity-core-rule-set-boun...@lists.owasp.org<mailto:owasp-modsecurity-core-rule-set-boun...@lists.owasp.org>] On Behalf Of Joshua Roback Sent: Friday, June 12, 2015 9:16 AM To: owasp-modsecurity-core-rule-set@lists.owasp.org<mailto:owasp-modsecurity-core-rule-set@lists.owasp.org> Subject: [Owasp-modsecurity-core-rule-set] Ignore URI From Scanning Hello Group, I'm come across an issue in which I'll be using ModSecurity to protect a site with an encrypted URI. For the sake of reducing false positives, what would be the most effective way to omit the URI from scanning but continue to scan other HTTP header fields and all payloads? ________________________________ This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. ________________________________ This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.
_______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
