Thanks a mil for this, I will try it out today. I did something similar, guided by the modsecurity handbook tutorial, but it didn't work. I take it this needs to be added to a low number conf file e.g. modsecurity_crs_15_customrules.conf? I'll let you know how it goes. Thanks again Josh.
> From: jamuse <at> gmail.com
> Date: Tue, 10 Jan 2012 12:37:08 +0200
> Subject: Re: [mod-security-users] SQLi False positive
> To: dits_ltd <at> hotmail.com
> CC: mod-security-users <at> lists.sourceforge.net
>
> On Tue, Jan 10, 2012 at 10:49 AM, Sean O'Sullivan <dits_ltd <at> hotmail.com> wrote:
> > Hi
> >
> > There is a page on our website called Individual... ModSecurity is
> > generating a false positive because the page name contains the word div, I
> > have included the logs below. Is there any way to exclude a parameter from
> > a rule if it contains a certain text string.
>
> Hi Sean,
>
> What about:
> SecRule ARGS:pageType " <at> contains div"
> "phase:2,t:none,log,pass,ctl:ruleUpdateTargetById=981244;!ARGS:pageType"
>
> or
>
> SecRule REQUEST_URI Individual "phase:2,t:none,chain,ctl:ruleRemoveById=981244
> SecRule ARGS:pageType " <at> contains div"
>
> --
> - Josh
>
> >
> > I know this wont work but it is an example of what I am trying to do :
> > SecRuleUpdateTargetById 981244 ! " <at> contains div".ARGS:pageType
> >
> > Message: Warning. Pattern match
> > "(?i:(?:\\d(\"|'|`|\xc2\xb4|\xe2\x80\x99|\xe2\x80\x98)\\s+(\"|'|`|\xc2\xb4|\xe2\x80\x99|\xe2\x80\x98)\\s+\\d)|(?:^admin\\s*(\"|'|`|\xc2\xb4|\xe2\x80\x99|\xe2\x80\x98)|(\\/\\*)+(\"|'|`|\xc2\xb4|\xe2\x80\x99|\xe2\x80\x98)+\\s?(?:--|#|\\/\\*|{)?)|(?:(\"|'|
> > ..." at ARGS:pageType. [file
> > "/etc/apache2/modsecurity_crs/modsecurity_crs_41_sql_injection_attacks.conf"]
> > [line "533"] [id "981244"] [msg "Detects basic SQL authentication bypass
> > attempts 1/3"] [data "div"] [severity "CRITICAL"] [tag "WEB_ATTACK/SQLI"]
> > [tag "WEB_ATTACK/ID"] [tag "WEB_ATTACK/LFI"]
> > Message: Warning. Pattern match
> > "(?i:(?:(\"|'|`|\xc2\xb4|\xe2\x80\x99|\xe2\x80\x98)\\s*\\*.+(?:x?or|div|like|between|and|id)\\W*(\"|'|`|\xc2\xb4|\xe2\x80\x99|\xe2\x80\x98)\\d)|(?:\\^(\"|'|`|\xc2\xb4|\xe2\x80\x99|\xe2\x80\x98))|(?:^[\\w\\s(\"|'|`|\xc2\xb4|\xe2\x80\x99|\xe2\x80\x98)-]+(
> > ..." at ARGS:pageType. [file
> > "/etc/apache2/modsecurity_crs/modsecurity_crs_41_sql_injection_attacks.conf"]
> > [line "573"] [id "981243"] [msg "Detects classic SQL injection probings
> > 2/2"] [data "div"] [severity "CRITICAL"] [tag "WEB_ATTACK/SQLI"] [tag
> > "WEB_ATTACK/ID"] [tag "WEB_ATTACK/LFI"]
> > Message: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file
> > "/etc/apache2/modsecurity_crs/modsecurity_crs_60_correlation.conf"] [line
> > "37"] [id "981204"] [msg "Inbound Anomaly Score Exceeded (Total Inbound
> > Score: 13, SQLi=, XSS=): 981243-Detects classic SQL injection probings 2/2"]
> > Apache-Handler: proxy-server
> > Stopwatch: 1326169975607617 51819 (- - -)
> > Stopwatch2: 1326169975607617 51819; combined=4777, p1=174, p2=4443, p3=1,
> > p4=59, p5=100, sr=45, sw=0, l=0, gc=0
> > Response-Body-Transformed: Dechunked
> > Producer: ModSecurity for Apache/2.6.0 (http://www.modsecurity.org/); core
> > ruleset/2.2.3.
> > Server: Apache/2.2.17 (
> >
> > Thanks in advance. Regards,
> > Sean
> >
> > ------------------------------------------------------------------------------
> > Write once. Port to many.
> > Get the SDK and tools to simplify cross-platform app development. Create
> > new or port existing apps to sell to consumers worldwide. Explore the
> > Intel AppUpSM program developer opportunity. appdeveloper.intel.com/join
> > http://p.sf.net/sfu/intel-appdev
> > _______________________________________________
> > mod-security-users mailing list
> > mod-security-users <at> lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/mod-security-users
> > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> > http://www.modsecurity.org/projects/commercial/rules/
> > http://www.modsecurity.org/projects/commercial/support/
> >
RSS Feed