On 12/6/11 9:31 PM, "Tzury Bar Yochay" <[email protected]> wrote:
>While going through rule files i have gathered few questions which I
>will appreciate if someone can help me with them.
>
>1) I have seen several cases where setvar is stated without the right
>part, e.g.
>
> SecRule TX:'/MISSING_HEADER_/' "TX\:(.*)"
>"capture,t:none,setvar:!tx.%{tx.1}"
>
> I wonder what it means, as normally, set is in the form of x = y,
>and not x, or !x in this case.
This is the syntax to remove a TX variable entirely.
>
>2) There seems to be a typo at line:
>
> SecRule REQUEST_LINE "^GET /$"
>"chain,phase:2,id:981020',t:none,pass,nolog"
>
> There is a trailing apostrophe (') after the id
There actually should have been a single quote at the beginning of the id
data like this - id:'981020'. I fixed it locally and it will be updated
in SNV soon.
>
>3) Few days ago I asked the following question but yet not got answer for
> When I see a rule such as
>
> SecRule ARGS:&category "(?i:SELECT.+FROM)"
>"ctl:auditLogParts=+..."
>
> I wonder what is the role of the ampersand, before the category, so
> far I know, '&' means counting operatoration and usually, it follows
> by a numeric operation, e.g. @eq, @ge and alike.
>
> However, this is a case where I see & which followed by an implicit
>'@rx'
This was a bug in the snort2modsec.pl script. The & should have been
removed when creating the SecRule. I will take a look.
-Ryan
>
>
>Thanks in advance for your help,
>Tzury
>_______________________________________________
>Owasp-modsecurity-core-rule-set mailing list
>[email protected]
>https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
>
This transmission may contain information that is privileged, confidential,
and/or exempt from disclosure under applicable law. If you are not the intended
recipient, you are hereby notified that any disclosure, copying, distribution,
or use of the information contained herein (including any reliance thereon) is
STRICTLY PROHIBITED. If you received this transmission in error, please
immediately contact the sender and destroy the material in its entirety,
whether in electronic or hard copy format.
_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
[email protected]
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
