[mod-security-users] ModSecurity mod_security-2.9.2, Apache 2.4, oswap crs

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Hi all,

I've got an issue where a password field with complex characters was triggering the following:

Message: Access denied with code 403 (phase 2). Pattern match "([\\~\\!\\@\\#\\$\\%\\^\\&\\*\$\$\\-\\+\\=\\{\\}\\[\\]\\|\\:\\;\"\\'\\\xc2\xb4\\\xe2\x80\x99\\\xe2\x80\x98\\`\\<\\>].*?){4,}" at ARGS:password. [file "/etc/httpd/modsecurity.d/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "159"] [id "981173"] [rev "2"] [msg "Restricted SQL Character Anomaly Detection Alert - Total # of special characters exceeded"] [data "Matched Data: - found within ARGS:password: ##########################"] [ver "OWASP_CRS/2.2.9"] [maturity "9"] [accuracy "8"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"]

I added this into the virtual host configuration (and tried the crs-setup.conf) but it doesn't exclude the password field.

      SecRule REQUEST_URI "@beginsWith /webclient/login" \
              "phase:2,nolog,pass,id:10001,ctl:ruleRemoveTargetById=981173;ARGS:password"

Can anyone tell me why?

What is the correct way to exclude this from that specific field (and not all other fields on the URL)

Thanks

Joe.