Re: [Owasp-modsecurity-core-rule-set] [mod-security-users] crs ruleset and trace method?

Wed, 21 Mar 2018 03:12:08 -0700 

Not enought familiar with modsecurity.

Just wondering, that there is no any rule to block trace in crs. is there
easy way to implement that?

--
Eero

On Wed, Mar 21, 2018 at 11:53 AM, Christian Folini <
christian.fol...@netnea.com> wrote:

> Hey Eero,
>
> The TRACE method is somewhat special. At least in Apache. The request
> skips phase 2 and thus the CRS rule covering tx.allowed_methods.
>
> There are discussions to move this block of rules to phase 1 though.
> https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/1015
>
> You may want to chime in there.
>
> Ahoj,
>
> Christian
>
> On Wed, Mar 21, 2018 at 09:15:52AM +0200, Eero Volotinen wrote:
> > Hi,
> >
> > Just noticed that crs ruleset is not blocking trace method, even
> > setvar:'tx.allowed_methods=GET POST'"
> >
> > Is this a bug?
> >
> > Eero
>
> > ------------------------------------------------------------
> ------------------
> > Check out the vibrant tech community on one of the world's most
> > engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>
> > _______________________________________________
> > mod-security-users mailing list
> > mod-security-us...@lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/mod-security-users
> > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> > http://www.modsecurity.org/projects/commercial/rules/
> > http://www.modsecurity.org/projects/commercial/support/
>
>
> --
> https://www.feistyduck.com/training/modsecurity-training-course
> https://www.feistyduck.com/books/modsecurity-handbook/
> mailto:christian.fol...@netnea.com
> twitter: @ChrFolini
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> mod-security-users mailing list
> mod-security-us...@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> http://www.modsecurity.org/projects/commercial/rules/
> http://www.modsecurity.org/projects/commercial/support/
>

_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
Owasp-modsecurity-core-rule-set@lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set

Reply via email to