On Wed, Oct 2, 2013 at 8:56 AM, Ryan Barnett <rbarn...@trustwave.com> wrote: > > John, > What I would recommend is that you utilize the SecRuleUpdateTargetById, > SecRuleUpdateTargetByTag, etcŠ directives to customize which local > variables are inspected. For your scenario, lets say that you only want to > inspect some Cookie values that your site specifically sets (SESISONID, > FOO_COOKIE and BAR_COOKIE). You could add the following to a local custom > rules file that is processed at the end of Apache/ModSecurity > initialization (for example in a file called - > modsecurity_crs_99_custom.conf). You could place the following in the > file to replace REQUEST_COOKIES with only your defined cookie values for > all SQL Injection rules - > > > SecRuleUpdateTargetByTag "SQL_INJECTION" REQUEST_COOKIES > REQUEST_COOKIES:SESSIONID,REQUEST_COOKIES:FOO_COOKIE,REQUEST_COOKIES:BAR_CO > OKIE
Ryan, I understand what you're suggesting, and I appreciate the feedback, but unfortunately that technique doesn't really help me. We are typically using the SecRuleUpdateTargetById to ignore certain rules for the cookies/params that we're using. Usually because our app is using the cookies in a way that causes a false positive in the CRS (json data typically). If I'm understanding your suggestion, you're basically saying that we should update the rules so that they ignore unexpected (unused) cookies and args, and only inspect the ones that we know our application is using. But that is a catch 22, because it's usually those rules that we're having to write exceptions to ignore on. I feel like i'm falling into this trap where I feel like the only way I can run mos_sec with the CRS is to turn off some major rules entirely because of this 3rd party cookie issue. Or else risk that some users will have a broken experience until we have a chance to address the false positives that we get notified about. Luckilly we are using SumoLogic to parse the apache error logs and deliver us a report every 15 minutes with a list of the blocked requests. Thanks again for each of your responses. Is my original question something that could possibly be implemented as a feature to mos_security? The ability to make it so rules modify a request instead of dropping it entirely? Kind of a middle ground between "notify only" and "drop entirely".... just "drop the bad part"? /John _______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
