Hi thanks ill have to take a look the detection audit log is getting quite large ill have to grep the id.  What i was asking though is how can i put the exception in a location chaining the rule by id and leave the core rule as default as i dont want to have to duplicate the lengthy rules all over the place and is quite painful via terminal.


Ofer Shezaf wrote:

 

Your rule will exclude if there is a referer header at all, and not just if the offending value appears in the referer header.

 

What you would want to do is use the following location:

REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer

 

This way you exclude the referer header from the list of locations searched.

 

To get:

SecRule REQUEST REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer "(?:(?:[\;\|]\W*?\b(?:c(?:h(?:grp|mod|own|sh)|md|pp|c)|p(?:asswd|ython|erl|ing|s)|n(?:asm|map|c)|f(?:inger|tp)|(?:kil|mai)l|g(?:\+\+|cc)|(?:xte)?rm|ls(?:of)?|telnet|uname|echo|id)|\/(?:c(?:h(?:grp|mod|own|sh)|pp|c)|p(?:asswd|ython|erl|ing|s)|n(?:asm|map|c)|f(?:inger|tp)|(?:kil|mai)l|g(?:\+\+|cc)|(?:xte)?rm|ls(?:of)?|telnet|uname|echo|id))\b|\b(?:(?:n(?:et(?:\b\W*?\blocalgroup|\.exe)|(?:map|c)\.exe)|t(?:racer(?:oute|t)|elnet\.exe|clsh8?|ftp)|w(?:g(?:uest\.exe|et)|sh\.exe)|(?:rcmd|ftp)\.exe|echo\b\W*?\by+)\b|c(?:md(?:(?:32)?\.exe\b|\b\W*?\\\/c)|hmod\b\.{1,100}?\+.{1,3}x|d\b(?:\W*?\\\/|\W*\b..))))" \

        "deny,auditlog,id:50006,severity:4,msg:'(default/generic_attacks.conf) System Command Injection'"

By the way, you may have noticed in the rule set that I assumed that SQL injection and XSS would generate false positives on the referer header and it is already excluded in the rule set. I did not anticipate for command injections. Can you tell me what pattern in the referer triggers this?

 

Thanks

~ Ofer