Re: [mod-security-users] Help configuring mod security

[Ervin H. <ai...@gm...>]

Hi Joshua,

On Tue, Nov 24, 2020 at 12:48:02PM +0000, Joshua Jenner wrote:
> 
> I am using mod security with apache 2. It's working fine but I want to disable  one element of the rule MULTIPART_STRICT_ERROR. I want to just disable the Invalid quoting check. I've tried doing this by just deleting the line in my mod_security.conf file.

I'm afraid you can't do this - I mean, you can't "exclude" any
item from the list below.

If you check the source, MULTIPART_STRICT_ERROR is a "cumulated"
variable:

https://github.com/SpiderLabs/ModSecurity/blob/v2/master/apache2/re_variables.c#L1582-L1596

if any variable from that list is set, the MULTIPART_STRICT_ERROR
is also has a non-zero value.
 
> So just deleting the IQ line from here and restarting apache:
> 
> SecRule MULTIPART_STRICT_ERROR "!@eq 0" \
> "id:'200002',phase:2,t:none,log,deny,status:44,msg:'Multipart request body \
> failed strict validation:
> PE %{REQBODY_PROCESSOR_ERROR}, \
> BQ %{MULTIPART_BOUNDARY_QUOTED}, \
> BW %{MULTIPART_BOUNDARY_WHITESPACE}, \
> DB %{MULTIPART_DATA_BEFORE}, \
> DA %{MULTIPART_DATA_AFTER}, \
> HF %{MULTIPART_HEADER_FOLDING}, \
> LF %{MULTIPART_LF_LINE}, \
> SM %{MULTIPART_MISSING_SEMICOLON}, \
> IQ %{MULTIPART_INVALID_QUOTING}, \
> IP %{MULTIPART_INVALID_PART}, \
> IH %{MULTIPART_INVALID_HEADER_FOLDING}, \
> FL %{MULTIPART_FILE_LIMIT_EXCEEDED}'"

you can do that make a list of rules with all variables what you
want to check. Eg:

SecRule REQBODY_PROCESSOR_ERROR|MULTIPART_BOUNDARY_QUOTED|MULTIPART_BOUNDARY_WHITESPACE|...|MULTIPART_FILE_LIMIT_EXCEEDED "!@eq 0" \
    "id:200002,\
    phase:2,\
    t:none,\
    log,\
    deny,\
    msg:'Multipart request body failed:
    PE %{REQBODY_PROCESSOR_ERROR}, \
    ....
    FL %{MULTIPART_FILE_LIMIT_EXCEEDED}'"

and DO NOT put the MULTIPART_INVALID_QUOTING into the list of
variables. (And don't forget to make a comment for original rule
200002, or add a unique id.)
 

Let me know if you have any question.



a.