Richard, On Thu, Jan 14, 2016 at 02:45:35PM +0000, Richard Jones wrote: > The following seems to parse but I’ve no idea if it’s working or not. > Specifically I doubt that chain will extend to all the following > SecRuleUpdate’s. > > SecRule REQUEST_URI “(?i)/+nmsruntime” \ > “chain,id:’000002’,phase:1,t:none,pass,log” > SecRuleUpdateTargetById 981317 “!REQUEST_COOKIES:/^VarQuestion_[0-9]+/” > SecRuleUpdateTargetById 981257 “!REQUEST_COOKIES:/^VarQuestion_[0-9]+/” > SecRuleUpdateTargetById 981245 “!REQUEST_COOKIES:/^VarQuestion_[0
No, this does not work. chain is limited to SecRule. I believe, what you want is: SecRule REQUEST_URI "..." "phase:1,...,ctl:ruleRemoveTargetById=981317;REQUEST_COOKIES:/^VarQuestion/,ctl:ruleRemoveTargetById=981257;..." I have not tried this out myself. But this is the basic pattern, I would use. What I am not sure is if you really want to limit the ignoring of the said cookies to a certain path. This implies you want to check these cookies for other paths as well. Would not it be simplet to use SecRuleUpdateTargetById without path restriction and ignore the cookies site-wide? Likewise, my regex pattern assumes, VarQuestion_... brings only numbers as suffix. And as this should cover all of them, I think the simpler and faster regex pattern is good enough. > And using the Anomaly scoring method I couldn’t work out how to update > the REQUEST_COOKIE target to exclude these cookies, and it doesn’t look > like I can use a regex to capture VarQuestion_[0-9]+. I have something in mind, that there is an issue with the +. Maybe you want to try *. What certainly does not work is (a|b) patterns. Do not know why. Ahoj, Christian > > Thanks, > > Richard > > -- > http://www.jonze.com/privacy.html > _______________________________________________ > Owasp-modsecurity-core-rule-set mailing list > Owasp-modsecurity-core-rule-set@lists.owasp.org > https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set -- Christian Folini Ringstrasse 2 CH-3639 Kiesen +41 (0)31 301 60 71 (H) +41 (0)79 220 23 76 (M) mailto:christian.fol...@netnea.com (Business) mailto:christian.fol...@time-machine.ch (Private) http://www.christian-folini.ch _______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
