At this point, I’m not exactly sure what you’re asking for. But as rules are processed in a precise order (by phase and by conf) you can either use SecMarker to skip to after the processing of a certain set of rules or you could reenable requestBodyAccess as soon as you have triggered another rule which might be after all the rules you don’t want run. Hopefully this helps.
From: Joshua Roback <jrob...@gmail.com<mailto:jrob...@gmail.com>> Date: Friday, June 12, 2015 at 10:27 AM To: Chaim Sanders <csand...@trustwave.com<mailto:csand...@trustwave.com>>, "owasp-modsecurity-core-rule-set@lists.owasp.org<mailto:owasp-modsecurity-core-rule-set@lists.owasp.org>" <owasp-modsecurity-core-rule-set@lists.owasp.org<mailto:owasp-modsecurity-core-rule-set@lists.owasp.org>> Subject: Re: [Owasp-modsecurity-core-rule-set] Ignore URI From Scanning That would work for items within the URI as I need it to, but wouldn't it also ignore for data in the request body via POST? On Fri, Jun 12, 2015 at 10:11 AM Chaim Sanders <csand...@trustwave.com<mailto:csand...@trustwave.com>> wrote: There is in fact access to the requestBodyAccess directive from ctl… See https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#ctl<http://scanmail.trustwave.com/?c=4062&d=x-z61WLVKy82sGToPcXlosLPCkYEyRZf-V9joextqQ&s=5&u=https%3a%2f%2fgithub%2ecom%2fSpiderLabs%2fModSecurity%2fwiki%2fReference-Manual%23ctl>. You can use it in much the same way you could use RuleEngine. Hope this solves your problem. Chaim Sanders Security Researcher, SpiderLabs Trustwave| SMART SECURITY ON DEMAND www.trustwave.com<http://www.trustwave.com/> From: Joshua Roback [mailto:jrob...@gmail.com<mailto:jrob...@gmail.com>] Sent: Friday, June 12, 2015 10:08 AM To: Chaim Sanders; owasp-modsecurity-core-rule-set@lists.owasp.org<mailto:owasp-modsecurity-core-rule-set@lists.owasp.org> Subject: Re: [Owasp-modsecurity-core-rule-set] Ignore URI From Scanning Thanks Chaim. The ideal situation would be if there was a URI equivalent of SecResponseBodyAccess Off I can't always provide a URL string to match against and I don't want to disable all rules since it's only the URI that's encrypted at the application layer. Everything else is simple SSL/TLS which I can decrypt without problem. On Fri, Jun 12, 2015 at 10:02 AM Chaim Sanders <csand...@trustwave.com<mailto:csand...@trustwave.com>> wrote: That will cause all rules to be skipped every time that rule is triggered which will be whenever there is a request that matches that rule. If you want to skip it altogether you can only run ModSec rules on a particular <Location> (see the following example: https://www.digitalocean.com/community/tutorials/how-to-set-up-mod_security-with-apache-on-debian-ubuntu<http://scanmail.trustwave.com/?c=4062&d=x-z61WLVKy82sGToPcXlosLPCkYEyRZf-VNn-LJp8g&s=5&u=https%3a%2f%2fwww%2edigitalocean%2ecom%2fcommunity%2ftutorials%2fhow-to-set-up-mod%5fsecurity-with-apache-on-debian-ubuntu>) Chaim Sanders Security Researcher, SpiderLabs Trustwave| SMART SECURITY ON DEMAND www.trustwave.com<http://www.trustwave.com/> From: Joshua Roback [mailto:jrob...@gmail.com<mailto:jrob...@gmail.com>] Sent: Friday, June 12, 2015 9:57 AM To: Chaim Sanders; owasp-modsecurity-core-rule-set@lists.owasp.org<mailto:owasp-modsecurity-core-rule-set@lists.owasp.org> Subject: Re: [Owasp-modsecurity-core-rule-set] Ignore URI From Scanning Wouldn't that bypass all future rules from scanning that same HTTP transactions? On Fri, Jun 12, 2015 at 9:44 AM Chaim Sanders <csand...@trustwave.com<mailto:csand...@trustwave.com>> wrote: You could use the ‘ctl’ action to disable the engine after a certain rule triggers, thereby skipping the rest of the checks. You could also place this in a virtual host area if needed. SecRule REQUEST_URI "@contains /encryptedbit/" "phase:1,t:none,pass, nolog,ctl:ruleEngine=Off” Chaim Sanders Security Researcher, SpiderLabs Trustwave| SMART SECURITY ON DEMAND www.trustwave.com<http://www.trustwave.com/> From: owasp-modsecurity-core-rule-set-boun...@lists.owasp.org<mailto:owasp-modsecurity-core-rule-set-boun...@lists.owasp.org> [mailto:owasp-modsecurity-core-rule-set-boun...@lists.owasp.org<mailto:owasp-modsecurity-core-rule-set-boun...@lists.owasp.org>] On Behalf Of Joshua Roback Sent: Friday, June 12, 2015 9:16 AM To: owasp-modsecurity-core-rule-set@lists.owasp.org<mailto:owasp-modsecurity-core-rule-set@lists.owasp.org> Subject: [Owasp-modsecurity-core-rule-set] Ignore URI From Scanning Hello Group, I'm come across an issue in which I'll be using ModSecurity to protect a site with an encrypted URI. For the sake of reducing false positives, what would be the most effective way to omit the URI from scanning but continue to scan other HTTP header fields and all payloads? ________________________________ This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. ________________________________ This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. ________________________________ This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. ________________________________ This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.
_______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
