List Info

Thread: Exclude a Rule w/ no ID...Any free IDs to Use?
Exclude a Rule w/ no ID...Any free IDs to Use?
user name
 2006-10-28 16:55:58 
Hi,

I'm trying to find out how I can assign an id so I can
easily exclude 
the following rule (by adding the id and
/dwmail/compose.php) to the 
excludes.conf file:

Here is the Rule:

#cross site scripting stealth attempt to execute Javascript
code
#may false alarm for some language sets
SecFilterSelective REQUEST_URI 
"!(/index.php?module=Blocks&type=admin&func=u
pdate|/index.php?go=.*&edit=)" 
chain
SecFilter 
"(((URL|SRC|HREF|LOWSRC)[s]*=)|(url[s]*[(]))[s]*['
"]*[x09x0ax0bx0cx0d]*j[x09x0ax0bx0cx0d]*a[x
09x0ax0bx0cx0d]*v[x09x0ax0bx0cx0d]*a[x09x0ax0bx
0cx0d]*s[x09x0ax0bx0cx0d]*c[x09x0ax0bx0cx0d]*r[x
09x0ax0bx0cx0d]*i[x09x0ax0bx0cx0d]*p[x09x0ax0bx
0cx0d]*t[x09x0ax0bx0cx0d]*[:]"


Here is the false positive:

==f0bd0d77==============================
Request: xxx.xxx.xxx.xxx xxx.xxx.xxx.239 - -
[27/Oct/2006:20:59:48 
-0400] "POST /dwmail/compose.php HTTP/1.1" 500 538

"http://xxx.xxx.xxx.xxx
/dwmail/compose.php?sessionid=da39ebd39c7b6489a03c212216c646
27" 
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;
SV1; (R1 1.5))" 
RUKrg9EI6AoAAA6sCDg "-"
-----------------------------------------
-POST /dwmail/compose.php HTTP/1.1
----------------: ----- -------
Accept: */*
Accept-Language: en-us
Cache-Control: no-cache
Connection: Keep-Alive
Content-Length: 6332
Content-Type: multipart/form-data; 
boundary=---------------------------7d62c0102e02a4
Host: xxx.xxx.xxx.xxx
Referer: 
http://xxx.xxx.xxx.xxx/dwmai
l/compose.php?sessionid=da39ebd39c7b6489a03c212216c64627
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT
5.1; SV1; (R1 
1.5))
mod_security-action: 500
mod_security-message: Access denied with code 500. Pattern
match 
"(((URL|SRC|HREF|LOWSRC)[\s]*=)|(url[\s]*[\(]))[\s]
*[\'"]*[\x09\x0a\x0b\x0c\x0d]*j[\x09\x0a\x0b
x0c\x0d]*a[\x09\x0a\x0b\x0c\x0d]*v[\x09\x0a\x0b\x
0c\x0d]*a[\x09\x0a\x0b\x0c\x0d]*s[\x09\x0a\x0b\x0c
\x0d]*c[\x09\x0a\x0b\x0c\x0d]*r[\x09\x0a\x0b\x0c\
x0d]*i[\x09\x0a\x0b\x0c\x0d]*p[\x09\x0a\x0b\x0c\x0
d]*t[\x09\x0a\x0b\x0c\x0d]*[\:]" 
at POST_PAYLOAD [severity "EMERGENCY"]

-------
thx,

SW
_______________________________________________
Modsecurity mailing list
Modsecuritygotroot.com
http://lists.gotroot.com/mailman/listinfo/modsecurity
[1]

about | contact  Other archives ( Real Estate discussion Medical topics )