Re: [Owasp-modsecurity-core-rule-set] SQL Keyword Anomaly Scoring

Fri, 20 Jul 2012 10:50:40 -0700 

From: "Canell, Stephen E (2240)" 
<stephen.e.can...@jpl.nasa.gov<mailto:stephen.e.can...@jpl.nasa.gov>>
Date: Fri, 20 Jul 2012 12:13:22 -0500
To: 
"owasp-modsecurity-core-rule-set@lists.owasp.org<mailto:owasp-modsecurity-core-rule-set@lists.owasp.org>"
 
<owasp-modsecurity-core-rule-set@lists.owasp.org<mailto:owasp-modsecurity-core-rule-set@lists.owasp.org>>
Subject: [Owasp-modsecurity-core-rule-set] SQL Keyword Anomaly Scoring


#
# SQL Keyword Anomaly Scoring:

I am having issues fine tuning all SQL rules for a COTS product.  This relates 
to the ID 981301 - 981316 with 981317.
I get a 403 from 918317 related to the previous SecRules because of the keyword 
count trigger.
Would the keyword in 301-316 be triggered by variables names having SQL 
keywords in the var name, such as:
 "search.selectedJobFamily.value" (981301 - select)

Also,
 I have two variables where users can enter an entire resume, so most, if not 
all of the SQL keywords in the SQL rules 301-316 will get hit!

I have seen the use SecRuleUpdateById in conjunction of !ARGS:<var> used, but 
301-316 uses TX:SQLI….. How do I use the SecRuleUpdateById with TX vs ARGS, and 
or
what is the best way to allow all words for these two variables and not set off 
the SQL triggers.

Thank you
Steve

Steve,
If you don't want these SQL keyword checks to search ARGS_NAMES collection at 
all, you can use this -

SecRuleUpdateTargetsById 981300 "!ARGS_NAMES"

Optionally, you can specify the individual ARGS_NAMES variables that are 
causing false positives -

SecRuleUpdateTargetsById 981300 "!ARGS_NAMES:search.selectedJobFamily.value"

-Ryan

________________________________
This transmission may contain information that is privileged, confidential, 
and/or exempt from disclosure under applicable law. If you are not the intended 
recipient, you are hereby notified that any disclosure, copying, distribution, 
or use of the information contained herein (including any reliance thereon) is 
STRICTLY PROHIBITED. If you received this transmission in error, please 
immediately contact the sender and destroy the material in its entirety, 
whether in electronic or hard copy format.

_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
Owasp-modsecurity-core-rule-set@lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set

Reply via email to