Thread: [mod-security-users] false positive exclusions
Brought to you by:
victorhora,
zimmerletw
From: Keith L. <ke...@su...> - 2009-07-21 21:21:47
|
Hi: We're having some trouble with false positives rejecting our ajax calls to an app we're building. We've tried adding paths to the whitelist, but some don't appear to be taking effect. Where can I find documentation on the exclude syntax? Are there any other approaches to bypassing specific rules? Here's what we've got for an in the exclude rule: <LocationMatch "/foo/bar/foobar/*"> SecRuleRemoveById 950004 SecRuleRemoveById 950107 </LocationMatch> We've tried varriations as well, such as <LocationMatch "/foo/bar/fobar*"> SecRuleRemoveById 950004 SecRuleRemoveById 950107 </LocationMatch> Any suggestions would be greatly appreciated. Thanks! -- Keith . . . The information transmitted is intended only for the person to which it is addressed and may contain confidential material. Review or other use of this information by persons other than the intended recipient is prohibited. If you've received this in error, please contact the sender and delete from any computer. |
From: Ryan B. <rya...@br...> - 2009-07-22 14:27:27
|
Ryan Barnett Director of Application Security Research Phone: (703) 794-2248 Cell: (703) 269-8998 Breach Security, Inc. 2141 Palomar Airport Road, Suite 200 Carlsbad, CA 92011 www.breach.com On Tuesday 21 July 2009 05:21:38 pm Keith Lehman wrote: > Hi: > > We're having some trouble with false positives rejecting our ajax calls to > an app we're building. We've tried adding paths to the whitelist, but some > don't appear to be taking effect. If you can send a sanitized excerpt of your audit log of one of these transactions it would help to identify the exact false positive and help to develop the best fix/exception. > Where can I find documentation on the > exclude syntax? Here are two resources to get you started - http://blog.modsecurity.org/2007/02/handling-false.html http://blog.modsecurity.org/2007/12/using-transacti.html > Are there any other approaches to bypassing specific > rules? > Specifically, you can create new rules that use the "ctl:ruleRemoveById=XXXXXX" action to dynamically disable specific rules under circumstances that you choose. > Here's what we've got for an in the exclude rule: > > <LocationMatch "/foo/bar/foobar/*"> > SecRuleRemoveById 950004 > SecRuleRemoveById 950107 > </LocationMatch> > We've tried varriations as well, such as > > <LocationMatch "/foo/bar/fobar*"> > SecRuleRemoveById 950004 > SecRuleRemoveById 950107 > </LocationMatch> > Any suggestions would be greatly appreciated. > > Thanks! > > -- Keith > > . . . > The information transmitted is intended only for the person > to which it is addressed and may contain confidential material. > Review or other use of this information by persons other than > the intended recipient is prohibited. If you've received > this in error, please contact the sender and delete > from any computer. |