Re: [mod-security-users] Skipping core ruleset for some arguments

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

Is it possible to specify a group of rules to update, similar
to SecRuleRemoveByTag and friends?  Or to exclue a variable from all rules?

What I'm finding is that some variables, like those containing
Base64-encoded data, should basically be excluded from all SQL injection
filtering, because they sometimes randomly have SQL keywords in them, and
because they are never used in an SQL query anyways.  I'm looking for a
more straightforward way to do this than listing all the Base64 variables
for each specific rule, which is quickly becoming cumbersome and
error-prone.

Thanks!

-----Scott.

On Mon, Feb 6, 2012 at 11:49 PM, Scott Gifford <sgi...@su...>wrote:

> Got it, thanks, this seems to be working!  I'll let things run overnight
> and see if I run into problems.
>
> Thanks!
>
> -----Scott.
>
>
> On Mon, Feb 6, 2012 at 11:37 PM, Ryan Barnett <RBa...@tr...>wrote:
>
>> See this blog post -
>>
>> http://blog.spiderlabs.com/2011/08/modsecurity-advanced-topic-of-the-week-exception-handling.html
>>
>> You want to use SecRuleUpdateTargetById.
>>
>> Ryan
>>
>> On Feb 6, 2012, at 10:51 PM, "Scott Gifford" <sgi...@su...>
>> wrote:
>>
>> > Hello,
>> >
>> > I'm working on securing a large Web application with mod_security using
>> a combination of the OWASP core ruleset and my own custom rules.
>> >
>> > With the OWASP ruleset, I am seeing a fair number of false positives,
>> primarily with some arguments that contain large, Base64-encoded strings,
>> which occasionally end up with things like XOR in them and trigger the SQL
>> injection rules.
>> >
>> > For these arguments, I would like to write my own rules to ensure they
>> contain only Base64-encoded data, and then bypass the OWASP SQL injection
>> rules for the argument.  For other arguments, even in the same request, I
>> would like to leave the full OWASP ruleset enabled.
>> >
>> > I have a working rule that matches only Base64 characters, but I don't
>> know how to exclude specific arguments from the OWASP ruleset.
>> >
>> > Is it possible to have some arguments which are checked by the OWASP
>> rules, and others which bypass it?
>> >
>> > Thanks!
>> >
>> > -----Scott.
>> >
>> >
>> ------------------------------------------------------------------------------
>> > Keep Your Developer Skills Current with LearnDevNow!
>> > The most comprehensive online learning library for Microsoft developers
>> > is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
>> > Metro Style Apps, more. Free future releases when you subscribe now!
>> > http://p.sf.net/sfu/learndevnow-d2d
>> > _______________________________________________
>> > mod-security-users mailing list
>> > mod...@li...
>> > https://lists.sourceforge.net/lists/listinfo/mod-security-users
>> > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
>> > http://www.modsecurity.org/projects/commercial/rules/
>> > http://www.modsecurity.org/projects/commercial/support/
>>
>> This transmission may contain information that is privileged,
>> confidential, and/or exempt from disclosure under applicable law. If you
>> are not the intended recipient, you are hereby notified that any
>> disclosure, copying, distribution, or use of the information contained
>> herein (including any reliance thereon) is STRICTLY PROHIBITED. If you
>> received this transmission in error, please immediately contact the sender
>> and destroy the material in its entirety, whether in electronic or hard
>> copy format.
>>
>>
>