Hi,
In the SQL injection rules, tx.sql_injection_score is set two different
ways. Some rules use "+1" while others increment it in sync with
tx.anomaly_score, e.g.:
Rule 981231:
setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.sql_injection_score=+1
Rule 981260:
setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score}
If the latter approach was used everywhere, then you could easily skip the
SQL injection rules for certain URLs -- just create a local rule that
matches the URLs you are interested in and subtract the
sql_injection_score from the anomaly_score for those URLs.
I've done this in my own copy of the core rules, and would love to have
these changes included in the official core rules.
Earl Fogel
Information and Communications Technology
University of Saskatchewan
--
_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
Owasp-modsecurity-core-rule-set@lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
