How to create custom rules that are more targeted toward the issue

[Paul Schmehl]

I've been doing some reading, but I'm not quite sure how to address this problem. I'm working on a very poorly written app that has lots of security issues. I've got modsecurity running protecting it, but to get it working I've had to disable 22 rules (SecRuleRemoveByID NUM). I'd prefer for these rules to only be disabled for the specific issue where they block legitimate use.

For example:

Access denied with code 403 (phase 2). [file "/etc/httpd/modsecurity.d/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "77"] [id "950901"] [rev "2"] [msg "SQL Injection Attack: SQL Tautology Detected."] [data "Matched Data: 8t^2 found within ARGS:AnSwEr0001: (-8t^2+18t+1)^(1/2)"] [severity "CRITICAL"] [ver "OWASP_CRS/2.2.6"] [maturity "9"] [accuracy "8"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [tag "WASCTC/WASC-19"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"] [tag "PCI/6.5.2"]

In this case, the problem is in the ARGS for AnSwEr0001, but there will be numerous AnSwErS in this app. (0001,0002,0003, etc.)

I don't want to allow 8t^2 in the general case, but I have to allow it in this specific case. Is there a way to do this by either altering the rule or by using a special command?

I read something on the web about using SecRuleUpdateTargetsById NUM "!ARGS_NAMES", but the explanation wasn't very clear, and when I placed that in my custom rules file (modsecurity_crs_60_custom_rules.conf) Apache balked with the following error: Invalid command 'SecRuleUpdateTargetById', perhaps misspelled or defined by a module not included in the server configuration

Did I put it in the wrong place? Is it the right way to attack this problem?

Edited to add:
Maybe this will help?

Producer: ModSecurity for Apache/2.7.3 (http://www.modsecurity.org/); OWASP_CRS/2.2.6.

If I understand that correctly, we're running modsecurity 2.7.3 with the CRS version 2.2.6. The error apache throws seems to be indicating that the version I have doesn't know about that command, but I thought it was available in version 2.6.

[Paul Schmehl]

Never mind. I figured it out. The command has to be read in before all the rules. I created a custom rule file named modsecurity_crs_15_customrules.conf, and Apache is happy now.

[Paul Schmehl]

I have a related question. Can you use wild cards in ARGS:foo? For example:
SecRuleUpdateTargetById 999999 "!ARGS:foo*"

Or does the suffix have to be precise? E.g foo1, foo2, foo3?

[Paul Schmehl]

Never mind again. I found the section in the manual and read that you can use regex.