Re: [mod-security-users] Help configuring mod security
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] Help configuring mod security
|
From: Joshua J. <Jos...@uk...> - 2020-11-25 10:30:42
|
Thankyou very much for this - I will give a go and let you know if I have any problems -----Original Message----- From: Ervin Hegedüs <ai...@gm...> Sent: Tuesday, November 24, 2020 4:23 PM To: mod...@li... Subject: Re: [mod-security-users] Help configuring mod security Hi Joshua, On Tue, Nov 24, 2020 at 12:48:02PM +0000, Joshua Jenner wrote: > > I am using mod security with apache 2. It's working fine but I want to disable one element of the rule MULTIPART_STRICT_ERROR. I want to just disable the Invalid quoting check. I've tried doing this by just deleting the line in my mod_security.conf file. I'm afraid you can't do this - I mean, you can't "exclude" any item from the list below. If you check the source, MULTIPART_STRICT_ERROR is a "cumulated" variable: https://github.com/SpiderLabs/ModSecurity/blob/v2/master/apache2/re_variables.c#L1582-L1596 if any variable from that list is set, the MULTIPART_STRICT_ERROR is also has a non-zero value. > So just deleting the IQ line from here and restarting apache: > > SecRule MULTIPART_STRICT_ERROR "!@eq 0" \ > "id:'200002',phase:2,t:none,log,deny,status:44,msg:'Multipart request > body \ failed strict validation: > PE %{REQBODY_PROCESSOR_ERROR}, \ > BQ %{MULTIPART_BOUNDARY_QUOTED}, \ > BW %{MULTIPART_BOUNDARY_WHITESPACE}, \ DB %{MULTIPART_DATA_BEFORE}, \ > DA %{MULTIPART_DATA_AFTER}, \ HF %{MULTIPART_HEADER_FOLDING}, \ LF > %{MULTIPART_LF_LINE}, \ SM %{MULTIPART_MISSING_SEMICOLON}, \ IQ > %{MULTIPART_INVALID_QUOTING}, \ IP %{MULTIPART_INVALID_PART}, \ IH > %{MULTIPART_INVALID_HEADER_FOLDING}, \ FL > %{MULTIPART_FILE_LIMIT_EXCEEDED}'" you can do that make a list of rules with all variables what you want to check. Eg: SecRule REQBODY_PROCESSOR_ERROR|MULTIPART_BOUNDARY_QUOTED|MULTIPART_BOUNDARY_WHITESPACE|...|MULTIPART_FILE_LIMIT_EXCEEDED "!@eq 0" \ "id:200002,\ phase:2,\ t:none,\ log,\ deny,\ msg:'Multipart request body failed: PE %{REQBODY_PROCESSOR_ERROR}, \ .... FL %{MULTIPART_FILE_LIMIT_EXCEEDED}'" and DO NOT put the MULTIPART_INVALID_QUOTING into the list of variables. (And don't forget to make a comment for original rule 200002, or add a unique id.) Let me know if you have any question. a. _______________________________________________ mod-security-users mailing list mod...@li... https://lists.sourceforge.net/lists/listinfo/mod-security-users Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: http://www.modsecurity.org/projects/commercial/rules/ http://www.modsecurity.org/projects/commercial/support/ This e-mail and any attachment are confidential and contain proprietary information, some or all of which may be legally privileged. It is intended solely for the use of the individual or entity to which it is addressed. If you are not the intended recipient, please notify the author immediately by telephone or by replying to this e-mail, and then delete all copies of the e-mail on your system. If you are not the intended recipient, you must not use, disclose, distribute, copy, print or rely on this e- mail. Whilst we have taken reasonable precautions to ensure that this e-mail and any attachment has been checked for viruses, we cannot guarantee that they are virus free and we cannot accept liability for any damage sustained as a result of software viruses. We would advise that you carry out your own virus checks, especially before opening an attachment. EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients. The UK firm Ernst & Young LLP is a limited liability partnership registered in England and Wales with registered number OC300001 and is a member firm of Ernst & Young Global Limited. A list of members' names is available for inspection at 1 More London Place, London, SE1 2AF, the firm's principal place of business and its registered office. Associate Partners are not members of Ernst & Young LLP. Ernst & Young LLP is a multi-disciplinary practice and is authorised and regulated by the Institute of Chartered Accountants in England and Wales, the Solicitors Regulation Authority (authorisation number 614947), the Financial Conduct Authority (registration number 196203) and other regulators. Further details can be found at https://www.ey.com/en_uk/legal-statement |
