[mod-security-users] Writing rules.
Brought to you by:
victorhora,
zimmerletw
From: Stephan G. H. <hig...@gm...> - 2014-03-31 18:23:01
|
Hi all. I've been reading about get rid of my false-positives, i saw a lot of people recomending to use the "SecRuleRemoveById", but I'm not sure if using the SecRuleRemoveById is the best way to do it. I'm trying to write whitelist rules, however I've got some doubts about it. Allow x Pass Disruptive Action: For what I understood, if I use allow as the disruptive action, modsecurity will match my whitelist rule and after that will just allow the request without passing through the other rules. But if I use "pass", modsecurity should only ignore that rule, and forward the request to the next rule. I guess the best way for doing it is using pass, right? However, when I use it, modsec matches the rule, send me a warning, but it still get blocked by the original rule. How am I supposed to create a whitelist rule and ignore the rule that is blocking the request? For example: My whitelist rule is: SecRule REQUEST_URI "((?i)^/report/)" chain,id:321321321,log,phase:1,t:lowercase,pass SecRule SERVER_NAME "test\.mydomain\.com" and I got the following log message: [Mon Mar 31 15:03:20.881149 2014] [:error] [pid 12176] [client 172.16.15.230] ModSecurity: Warning. Pattern match "test\\\\.mydomain\\\\.com" at SERVER_NAME. [file "/etc/apache2/owasp-crs/activated_rules/modsecurity_crs_01_mydomain_whitelist_rules.conf"] [line "19"] [id "321321321"] [hostname "test.mydomain.com"] [uri "/report/"] [unique_id "Uzmt6KwQD8oAAC@QFr0AAAAB"] But, it still getting blocked by the other rule: [Mon Mar 31 15:03:20.882708 2014] [:error] [pid 12176] [client 172.16.15.230] ModSecurity: Access denied with code 403 (phase 1). Operator EQ matched 1 at SESSION:IS_NEW. [file "/etc/apache2/owasp-crs/activated_rules/modsecurity_crs_16_session_hijacking.conf"] [line "24"] [id "981054"] [msg "Invalid SessionID Submitted."] [hostname " test.mydomain.com"] [uri "/report/"] [unique_id "Uzmt6KwQD8oAAC@QFr0AAAAB"] What should I do to make modsecurity ignore the old rule and only act accordind to my new whitelist rule? Is it possible to set the new rule for allowing a specific rule for a specific domain and a specific URI? Like, configure the new whitelist rule for just ignore the rule 981054 for my hostname "test.mydomain.com" for the URI "/report/" ? Regards, Stephan Gomes Higuti |