OK, so you are using an older version of Mod (1.9 perhaps).
If you want
to keep your existing rules however you want to allow that
one specific
URL through, they you can do this -
SecFilterSelective REQUEST_URI
"^/admin/admin.php" chain,pass
SecFilterSelective ARG_url "^http:/" skipnext:2
SecFilter "(http|https|ftp):/" chain
SecFilterSelective ARGS_VALUES "^http:/"
This essentially uses a chained rule that first checks to
see if the URL
location is the "/admin/admin.php" script and then
that the "url"
argument is present. If both of those are true and if the
url ARG has a
remote URL specified, then the rule issues a
"pass" action and will skip
the next chained ruleset.
Do note that skipnext acts differently than skip does in Mod
2.0 in that
skipnext considers each directive separately whereas skip
takes into
account chained rules. So, while in 1.9 we had to use
skipnext:2 to
skip over the next chained ruleset in 2.0 we could just use
skip:1.
--
Ryan C. Barnett
ModSecurity Community Manager
Breach Security: Director of Application Security Training
Web Application Security Consortium (WASC) Member
Author: Preventing Web Attacks with Apache
--------------
Web Security Threat Report Webinar on May 9, 2007 (12 pm
EST)
Learn More About the Breach Webinar Series:
http://www.breach.
com/webinars.asp
--------------
> -----Original Message-----
> From: bad_brain [mailto:bad_brain suck-o.com]
> Sent: Friday, March 30, 2007 12:53 PM
> To: Ryan Barnett
> Subject: Re: [mod-security-users] allowing remote
inclusions as
> exceptions?
>
> Ryan Barnett schrieb:
>
> >Yes, it is possible to create exceptions to rules.
Is your
> >configuration blocking these requests (assuming
your site name is
> >www.hostsite.com) -
>
>http://www.hostsite.com/admin/admin.p
hp?f=index&url=http://www.indexed-
s
> >ite.com/&reindex=1
> >
> >What rule is triggering? Can you provide an
example alert message
for
> >the rule that is matching that you want to create
an exception for?
> >
> >
> >
> thanks for your reply,
> yes, my config is blocking the requests, the rules
which apply should
be
> these 2:
> SecFilter "(http|https|ftp):/" chain
> SecFilterSelective ARGS_VALUES "^http:/"
> I can't provide an example error message because I log
such incidents
> through the IDS, but because of the error type it is
definitly blocked
> by mod sec, and the only candidates are these 2 rules
because I use a
> very slim rule-set.
>
>
> -----------------------------
>
> SHA1 Fingerprint
> 2F:B3:C4:72:0E:A9:47:11:04:5C:1D:7B:73:C6:71:B8:6B 9:B7:BA
>
> MD5 Fingerprint
> 18:36:79:A2:68:19:4E:AF:8B:10:37:02:82:B2
>
> -----------------------------
------------------------------------------------------------
-------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the
chance to share your
opinions on IT & business topics through brief
surveys-and earn cash
http://www.techsay.com/default.
php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
mod-security-users mailing list
mod-security-userslists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-
security-users
|
