ModSecurity does not currently have the
capability to manipulate the raw request and then send it onto the destination
(both inbound or outbound). ModSecurity copies the request/response into
memory, then applies all specified transformation/normalization functions, and
then applies all SecRule checks against it. If one matches, it will take the
appropriate Action. There is the possibility of implementing this
capability into ModSecurity in future releases.
If you want to remove a specific outbound
header, you will need to use some Apache modules/directive. I know if 4
ways to do this –
1) Use the Header directive – Header
unset Content-Length
http://httpd.apache.org/docs/2.2/mod/mod_headers.html#header
2) Use Mod_Ext_Filter – This Apache
2.X module allows for arbitrary filter hooks to do whatever you want to the
data.
ExtFilterDefine remove-header
mode=output intype=text/html ftype=30 \
cmd="/bin/sed s/Content-Length//gi"
<Location />
SetOutputFilter remove-header
</Location>
While this will work, it is not the
desired config due to the performance hit of spawning SED processes for all
outbound data.
3) Use mod_perl – this is more efficient
then the SED example of mod_ext_filter since mod_perl will initiate one perl
instance upon startup that all scripts can use. You then need to create a
perl module to alter this outbound data. Here is a bit of info - http://www.samspublishing.com/articles/article.asp?p=27110&seqNum=11&rl=1
4) Implement mod_line_edit - http://apache.webthing.com/mod_line_edit/
--
Ryan C. Barnett
Breach Security: Director
of Application Security Training
Web Application Security Consortium (WASC) Member
CIS Apache Benchmark Project Lead
SANS Instructor, GCIA, GCFA, GCIH, GSNA, GCUX, GSEC
Author: Preventing Web Attacks with Apache
From: mod-security-users-bounces@xxxxxxxxxxxxxxxxxxxxx
[mailto:mod-security-users-bounces@xxxxxxxxxxxxxxxxxxxxx] On Behalf Of Felix Faassen
Sent: Thursday, November 23, 2006
5:53 AM
To:
mod-security-users@xxxxxxxxxxxxxxxxxxxxx
Subject: [mod-security-users]
Please help: How to Change / Remove HTTPresponse headers conditionally based on
request headers
I would like to know if it's is possible to change/remove
HTTP response headers conditionally using mod_security.
For instance, if a "User-Agent" contains Mozilla*,
remove HTTP header ContentLength
I've configured the following rules:
SecRule REQUEST_HEADERS "User Agent: Mozilla*"
"log,phase:1,chain"
SecRule RESPONSE_HEADERS "@rx s/Content-Length://g" "log,
phase:3"
This does not seem to be working. Any tips and ideas are
most welcome.
This e-mail message contains information which is confidential and may
be privileged. It is intended for use by the addressee only. If you are not the
intended addressee, we request that you notify the sender immediately and
delete or destroy this e-mail message and any attachment(s), without copying,
saving, forwarding, disclosing or using its contents in any other way. TomTom
N.V., TomTom International BV
or any other company belonging to the TomTom group of companies will not be
liable for damage relating to the communication by e-mail of data, documents or
any other information.
