Re: [mod-security-users] ruleRemoveTargetById question
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] ruleRemoveTargetById question
|
From: Aaron B. <aar...@gm...> - 2013-05-13 14:06:54
|
That did the trick, thanks! On Fri, May 10, 2013 at 10:47 AM, Ryan Barnett <RBa...@tr...>wrote: > > From: Aaron Bedra <aar...@gm...> > Date: Friday, May 10, 2013 11:29 AM > To: "mod...@li..." < > mod...@li...> > Subject: [mod-security-users] ruleRemoveTargetById question > > I have tried a few different ways to tune out something recently with > no success. I have the following rule in place: > > SecRule ARGS "@contains partner_source" > "phase:1,id:320,t:none,pass,nolog,ctl:ruleRemoveTargetById=950001" > > > Looking at the alert below – you probably want this instead - > > SecRuleUpdateTargetById 981231 "!ARGS:partner_source" > > > > But I am still getting the match in the logs > > --669ad847-H-- > Message: Warning. Pattern match > "(/\\*!?|\\*/|[';]--|--[\\s\\r\\n\\v\\f]|(?:--[^-]*?-)|([^\\-&])#.*?[\\s\\r\\n\\v\\f]|;?\\x00)" > at ARGS:partner_source. [file > "/etc/apache2/mod_security_rules.d/modsecurity_crs_41_sql_injection_attacks.conf"] > [line "49"] [id "981231"] [rev "2"] [msg "SQL Comment Sequence Detected."] > [data "Matched Data: --- found within ARGS:partner_source: > US_DT_SEA_GGL_TXT_RES_DEV_CPC_GW_NBR_m*_c*30323884667_k*authorize net > alternative_d*Competitors_g*Authorize.net---Compare-(p)_f*m_p*none"] > [severity "CRITICAL"] [ver "OWASP_CRS/2.2.7"] [maturity "8"] [accuracy "8"] > [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [tag "WASCTC/WASC-19"] [tag > "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"] [tag "PCI/6.5.2"] > Message: Warning. Operator LT matched 20 at TX:inbound_anomaly_score. > [file > "/etc/apache2/mod_security_rules.d/modsecurity_crs_60_correlation.conf"] > [line "33"] [id "981203"] [msg "Inbound Anomaly Score (Total Inbound Score: > 5, SQLi=1, XSS=): SQL Comment Sequence Detected."] > Apache-Handler: proxy-server > Stopwatch: 1368199587900038 16136 (- - -) > Stopwatch2: 1368199587900038 16136; combined=3210, p1=234, p2=2795, p3=2, > p4=55, p5=123, sr=57, sw=1, l=0, gc=0 > Producer: ModSecurity for Apache/2.7.3 (http://www.modsecurity.org/); > OWASP_CRS/2.2.7. > Server: Apache > Sanitised-Request-Headers: "Authorization". > Engine-Mode: "DETECTION_ONLY" > > I have tried several variations of the rule (using @pm instead of > contains, etc) but nothing has worked for me. Any ideas on how to properly > tune this out? > > -Aaron > > > ------------------------------ > > This transmission may contain information that is privileged, > confidential, and/or exempt from disclosure under applicable law. If you > are not the intended recipient, you are hereby notified that any > disclosure, copying, distribution, or use of the information contained > herein (including any reliance thereon) is STRICTLY PROHIBITED. If you > received this transmission in error, please immediately contact the sender > and destroy the material in its entirety, whether in electronic or hard > copy format. > |