Re: [mod-security-users] Fully whitelisting an argument
Brought to you by:
victorhora,
zimmerletw
From: Breno S. <bre...@gm...> - 2012-07-15 21:42:18
|
Hello David, You should define an Id or Id range (2.7) when SecRuleUpdateTargetById. Thanks Breno On Sun, Jul 15, 2012 at 9:38 AM, Ryan Barnett <RBa...@tr...>wrote: > > On 7/15/12 3:56 AM, "David R" <re...@li...> wrote: > > >Hello > > > >I am actualy setting up modsecurity for a website. > >I have to deal with false positives customization... > > > >For the exception based on LocationMatch + SecRuleRemoveById no problems! > > > >But when i need to whitelist a POST/GET parameter i encounter troubles. > > > >I tried much possibilities but none of them succeed. 5Apache restart but > >my > >whitelisted argument is not considered (still filtered) > > > >The argument i want to blacklist is "msg" (as you can imagine it s the > >content > >of a message posted by a user, so it may contains much false positive > >like > >smileys etc...) > > > >Below some rules i actually put in my modsecurity_crs_999 file: > >SecRule REQUEST_FILENAME "@streq /" > >"phase:1,t:none,nolog,pass,ctl:ruleRemoveById=*;ARGS:msg" > >(not working, arg msg still filtered) > > > >or > >SecRule REQUEST_FILENAME "@streq /" > >"phase:1,t:none,nolog,pass,ctl:ruleRemoveById=000000-999999;ARGS:msg" > >(doesn't work) > > > >SecRuleUpdateTargetById * "!ARGS:msg" > >(not working) > > > >SecRuleRemoveByMsg .*SQL.* "ARGS:msg" > >(this one works but has the side effect of removing SQL detection for all > >the > >pages) > > > >So as you understood i need to fully whitelist an argument and i can't, > >any help > >would be really appreciated. > >For your information i can't whitelist the Location as it is an index.php > >file > >with much functions in the backend. > > > >Thanks in advance. > > Try using SecRuleUpdateTargetByTag - > http://sourceforge.net/apps/mediawiki/mod-security/index.php?title=Referenc > e_Manual#SecRuleUpdateTargetByTag > > > You could put in something like this in your modsecurity_crs_999 file for > each attack category - > > SecRuleUpdateTargetByTag "WEB_ATTACK/SQL_INJECTION" "!ARGS:msg" > > SecRuleUpdateTargetByTag "WEB_ATTACK/XSS" "!ARGS:msg" > > > -Ryan > > > > > > >-------------------------------------------------------------------------- > >---- > >Live Security Virtual Conference > >Exclusive live event will cover all the ways today's security and > >threat landscape has changed and how IT managers can respond. Discussions > >will include endpoint security, mobile security and the latest in malware > >threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ > >_______________________________________________ > >mod-security-users mailing list > >mod...@li... > >https://lists.sourceforge.net/lists/listinfo/mod-security-users > >Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > >http://www.modsecurity.org/projects/commercial/rules/ > >http://www.modsecurity.org/projects/commercial/support/ > > > > > This transmission may contain information that is privileged, > confidential, and/or exempt from disclosure under applicable law. If you > are not the intended recipient, you are hereby notified that any > disclosure, copying, distribution, or use of the information contained > herein (including any reliance thereon) is STRICTLY PROHIBITED. If you > received this transmission in error, please immediately contact the sender > and destroy the material in its entirety, whether in electronic or hard > copy format. > > > > ------------------------------------------------------------------------------ > Live Security Virtual Conference > Exclusive live event will cover all the ways today's security and > threat landscape has changed and how IT managers can respond. Discussions > will include endpoint security, mobile security and the latest in malware > threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ > |