exclusion for attack-lfi

[oma...@gmail.com]

Hello,

there are many occurrences of single double dot '/../' in sites I try to protect by CRS Project.

For example: 

    '/web/resources/css/../images/ico_checkbox2.png'

    '/catalog/view/theme/theme_web/stylesheet/../image.png'

    

For these examples I'm able to build exclusion like this: 

  SecRule REQUEST_URI_RAW "@beginsWith /catalog/view/theme/theme_onlinekoupelny/stylesheet/../" \

      "id:'000025', \

      phase:2, \

      nolog, \

      ctl:ruleRemoveByTag='attack-lfi', \

      pass"

      

I would like to ask you, is there any possibility to solve it with only one universal exclusion? I just need to exclude single occurence of this in URI: /../. Occurence '/../../' should be marked as attack.

Thank you,

Standa