On Tue, Oct 1, 2013 at 10:56 PM, John McGowan <j...@lynch2.com> wrote:
> Is it possible for a mod_security rule to drop a cookie or an argument > from a request without dropping the entire request? Hi John, While I would not recommend this approach, you could use mod_headers to remove the cookie and the rsub action to remove POST body data from requests if you know the cookie/parameter name ahead of time. There is a good chance that this will negatively affect the functionality of the web application though. If your getting too many false positives for a given cookie/parameter value and you know that they are not vulnerable to a given attack type, have you tried disabling rules by tag name? This may be a cleaner approach to solving your problem. -- - Josh > We're constantly > having to monitor our error_log and add exceptions whenever us or a > 3rd party is setting a cookie or an argument that looks suspicious to > the core rules set. > > Ideally I'd like to be able to tell mod_security to drop any offending > get or post args or cookies if they look suspicious so that the > request is still handled, but the scary data doesn't end up getting > processed. Of course I'd want to log this when it happens so that if > the cookie/arg is something that my app cares about I can decide what > needs to happen next. > > I'm tired of having to add exceptions every time some new 3rd party > cookie gets set on the domain that has complex characters, or > resembles a injection attack. > > -- > John McGowan > _______________________________________________ > Owasp-modsecurity-core-rule-set mailing list > Owasp-modsecurity-core-rule-set@lists.owasp.org > https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set >
_______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set