Re: [mod-security-users] Best Practice for Overriding Core Rule Behavior
Brought to you by:
victorhora,
zimmerletw
From: Art A. S. <art...@gm...> - 2011-08-02 15:30:01
|
Anyone? Even a pointer to the right spot in the documentation will be helpful. How best to modify 2.x series rules? Thanks! On Sun, Jul 31, 2011 at 4:31 PM, Art Age Software <art...@gm...> wrote: > I'm at a bit of a loss as to how to override rule behavior under the > new core rules scheme. Previously, using the old-style core rules, I > was able to use SecRuleRemoveById to remove a rule and then SecRule to > immediately redefine it. This no longer seems to work. Here is a > specific example I am trying to solve: > > # [ SQL Injection Character Anomaly Usage ] > # Adjust the the @ge operator value appropriately for your site. > # > SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* > "@pm ~ ! @ # $ % ^ & * ( ) - + = { } [ ] | : ; \" ' ´ ’ ‘ ` < >" > "phase:2,id:'973020',t:none,t:urlDecodeUni,nolog,pass,setvar:'tx.restricted_sqli_char_payloads_%{matched_var_name}=%{matched_var}'" > . > . > . > SecRule TX:RESTRICTED_SQLI_CHAR_COUNT "@ge 4" > "phase:2,t:none,block,id:'981173',rev:'2.2.1',msg:'Restricted SQL > Character Anomaly Detection Alert - Total # of special characters > exceeded',logdata:'%{matched_var}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.sql_injection_score=+1,setvar:'tx.msg=%{rule.msg}',setvar:tx.%{rule.id}-WEB_ATTACK/RESTRICTED_SQLI_CHARS-%{matched_var_name}=%{tx.0}" > > > I would like to adjust the @ge operator value as suggested, without > altering the core rule. Something like this in my Apache virtual host > config block: > > <VirtualHost> > SecRuleRemoveById 981173 > SecRule TX:RESTRICTED_SQLI_CHAR_COUNT "@ge 10" > "phase:2,t:none,block,id:'981173',rev:'2.2.1',msg:'Restricted SQL > Character Anomaly Detection Alert - Total # of special characters > exceeded',logdata:'%{matched_var}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.sql_injection_score=+1,setvar:'tx.msg=%{rule.msg}',setvar:tx.%{rule.id}-WEB_ATTACK/RESTRICTED_SQLI_CHARS-%{matched_var_name}=%{tx.0}" > </VirtualHost> > > > Also, let's say I don't want to inspect cookie data. I would like to > do something like this: > > <VirtualHost> > SecRuleRemoveById 973020 > SecRule REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* > "@pm ~ ! @ # $ % ^ & * ( ) - + = { } [ ] | : ; \" ' ´ ’ ‘ ` < >" > "phase:2,id:'973020',t:none,t:urlDecodeUni,nolog,pass,setvar:'tx.restricted_sqli_char_payloads_%{matched_var_name}=%{matched_var}'" > </VirtualHost> > > What's the best practice for modifying the behavior of core rules > without editing the actual rules files? > |