Hi,
I would like a little help if possible writing an exception for what
is being tagged as a SQL Injection attempt.
here is the audit log data:
[Wed Aug 13 16:58:59 2014] [error] [client aaa.bbb.ccc.ddd]
ModSecurity: Access denied with code 403 (phase 2). Pattern match
"\\\\b(\\\\d+)
?(?:=|<>|<=>|<|>|!=)
?\\\\1\\\\b|[\\\\'\\"\\\\`\\\\\\xc2\\xb4\\\\\\xe2\\x80\\x99\\\\\\xe2\\x80\\x98](\\\\d+)[\\\\'\\"\\\\`\\\\\\xc2\\x
b4\\\\\\xe2\\x80\\x99\\\\\\xe2\\x80\\x98] ?(?:=|<>|<=>|<|>|!=)
?[\\\\'\\"\\\\`\\\\\\xc2\\xb4\\\\\\xe2\\x80\\x99\\\\\\xe2\\x80\\x98]\\\\
2\\\\b|[\\\\'\\"\\\\`\\\\\\xc2\\xb4\\\\\\xe2\\x80\\x98 ..." at
ARGS:position[e_statement]. [file "/usr/share/modsecurity-crs/activate
d_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "435"]
[id "950901"] [rev "2.2.0"] [msg "SQL Injection Attack"] [data " a
nd 60"] [severity "CRITICAL"] [hostname "test.example.com"] [uri
"/api/search/posit/509"] [unique_id "U@uZUwoAZa
IAAEDBdrsAAAAG"]
The text in a PUT validated by the web app contains a statement about
some regulations all URL encoded:
The string it is objecting to is in the PUT body here:
CFR+%26sect%3B%26sect%3B+60-1.4(a)%2C+60-300.5(a)+and+60-741.5(a).
My current rule is:
SecRule REQUEST_LINE "PUT /api/search/posit/\d{3}"
"chain,phase:2,t:none,t:compressWhiteSpace,nolog,pass"
SecRule ARGS|REQUEST_BODY "@streq and60"
"nolog,ctl:ruleRemoveById=905901"
Any ideas? please?
Thanks Dan
--
--
d...@madjic.net
_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
Owasp-modsecurity-core-rule-set@lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
