That would work for items within the URI as I need it to, but wouldn't it also ignore for data in the request body via POST?
On Fri, Jun 12, 2015 at 10:11 AM Chaim Sanders <csand...@trustwave.com> wrote: > There is in fact access to the requestBodyAccess directive from ctl… See > https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#ctl. You > can use it in much the same way you could use RuleEngine. Hope this solves > your problem. > > > > *Chaim Sanders * > > Security Researcher, SpiderLabs > > > > *Trustwave* | SMART SECURITY ON DEMAND > > www.trustwave.com > > > > *From:* Joshua Roback [mailto:jrob...@gmail.com] > *Sent:* Friday, June 12, 2015 10:08 AM > > > *To:* Chaim Sanders; owasp-modsecurity-core-rule-set@lists.owasp.org > *Subject:* Re: [Owasp-modsecurity-core-rule-set] Ignore URI From Scanning > > > > Thanks Chaim. > > The ideal situation would be if there was a URI equivalent of > > SecResponseBodyAccess Off > > I can't always provide a URL string to match against and I don't want to > disable all rules since it's only the URI that's encrypted at the application > layer. Everything else is simple SSL/TLS which I can decrypt without problem. > > > > On Fri, Jun 12, 2015 at 10:02 AM Chaim Sanders <csand...@trustwave.com> > wrote: > > That will cause all rules to be skipped every time that rule is > triggered which will be whenever there is a request that matches that rule. > If you want to skip it altogether you can only run ModSec rules on a > particular <Location> (see the following example: > https://www.digitalocean.com/community/tutorials/how-to-set-up-mod_security-with-apache-on-debian-ubuntu > <http://scanmail.trustwave.com/?c=4062&d=7Of61ZiAo31lGdi9SEEO45yLLG85pm_ZNu-l4uSGog&s=5&u=https%3a%2f%2fwww%2edigitalocean%2ecom%2fcommunity%2ftutorials%2fhow-to-set-up-mod%5fsecurity-with-apache-on-debian-ubuntu> > ) > > > > *Chaim Sanders * > > Security Researcher, SpiderLabs > > > > *Trustwave* | SMART SECURITY ON DEMAND > > www.trustwave.com > > > > *From:* Joshua Roback [mailto:jrob...@gmail.com] > *Sent:* Friday, June 12, 2015 9:57 AM > *To:* Chaim Sanders; owasp-modsecurity-core-rule-set@lists.owasp.org > *Subject:* Re: [Owasp-modsecurity-core-rule-set] Ignore URI From Scanning > > > > Wouldn't that bypass all future rules from scanning that same HTTP > transactions? > > > > On Fri, Jun 12, 2015 at 9:44 AM Chaim Sanders <csand...@trustwave.com> > wrote: > > You could use the ‘ctl’ action to disable the engine after a certain > rule triggers, thereby skipping the rest of the checks. You could also > place this in a virtual host area if needed. > > > > SecRule REQUEST_URI "@contains /encryptedbit/" "phase:1,t:none,pass, > nolog,ctl:ruleEngine=Off” > > > > *Chaim Sanders * > > Security Researcher, SpiderLabs > > > > *Trustwave* | SMART SECURITY ON DEMAND > > www.trustwave.com > > > > *From:* owasp-modsecurity-core-rule-set-boun...@lists.owasp.org [mailto: > owasp-modsecurity-core-rule-set-boun...@lists.owasp.org] *On Behalf Of *Joshua > Roback > *Sent:* Friday, June 12, 2015 9:16 AM > *To:* owasp-modsecurity-core-rule-set@lists.owasp.org > *Subject:* [Owasp-modsecurity-core-rule-set] Ignore URI From Scanning > > > > Hello Group, > > I'm come across an issue in which I'll be using ModSecurity to protect a > site with an encrypted URI. For the sake of reducing false positives, what > would be the most effective way to omit the URI from scanning but continue > to scan other HTTP header fields and all payloads? > > > ------------------------------ > > > This transmission may contain information that is privileged, > confidential, and/or exempt from disclosure under applicable law. If you > are not the intended recipient, you are hereby notified that any > disclosure, copying, distribution, or use of the information contained > herein (including any reliance thereon) is strictly prohibited. If you > received this transmission in error, please immediately contact the sender > and destroy the material in its entirety, whether in electronic or hard > copy format. > > > ------------------------------ > > > This transmission may contain information that is privileged, > confidential, and/or exempt from disclosure under applicable law. If you > are not the intended recipient, you are hereby notified that any > disclosure, copying, distribution, or use of the information contained > herein (including any reliance thereon) is strictly prohibited. If you > received this transmission in error, please immediately contact the sender > and destroy the material in its entirety, whether in electronic or hard > copy format. > > > ------------------------------ > > This transmission may contain information that is privileged, > confidential, and/or exempt from disclosure under applicable law. If you > are not the intended recipient, you are hereby notified that any > disclosure, copying, distribution, or use of the information contained > herein (including any reliance thereon) is strictly prohibited. If you > received this transmission in error, please immediately contact the sender > and destroy the material in its entirety, whether in electronic or hard > copy format. >
_______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
