Hi Chaim,
thanks for the response. I actually did stumble across that blog post
and tried to write some exceptions to get things working. There are SO
many exceptions needed though! I think I will try removing the DEB/RPM
of ModSecurity and try installing it from source. That way I will be
able to install the most recent version of CRS.
So far this is what I've written for exceptions. Am I doing it correctly??
In modsecurity_crs_15_customerules.conf:
SecRule REQUEST_FILENAME "@rx /node/*/edit"
"phase:1,t:none,nolog,pass,ctl:ruleRemoveById=981173"
SecRule REQUEST_FILENAME "@streq /civicrm/contribute/search"
"phase:1,t:none,nolog,pass,ctl:ruleRemoveById=981173"
SecRule REQUEST_FILENAME "@streq /civicrm/ajax/inline"
"phase:1,t:none,nolog,pass,ctl:ruleRemoveById=981173"
In modsecurity_crs_48_local_exceptions.conf:
SecRule REQUEST_FILENAME "@rx /node/*/edit"
"chain,phase:2,t:none,nolog,pass"
SecRule TX:'/^960010/' "@streq Item 1=1" "chain,t:none"
SecRule MATCHED_VAR_NAME "TX\:(.*)"
"capture,t:none,setvar:!tx.%{tx.1},setvar:tx.anomaly_score=-3"
SecRule REQUEST_FILENAME "@rx /node/*/edit"
"chain,phase:2,t:none,nolog,pass"
SecRule TX:'/^950109/' "@streq Item 1=1" "chain,t:none"
SecRule MATCHED_VAR_NAME "TX\:(.*)"
"capture,t:none,setvar:!tx.%{tx.1},setvar:tx.anomaly_score=-2"
SecRule TX:'/^950901.*ARGS:body[und][0][value]/' ".*"
"chain,phase:2,t:none,nolog,pass"
SecRule MATCHED_VAR_NAME "TX\:(.*)"
"capture,t:none,setvar:!tx.%{tx.1},setvar:tx.anomaly_score=-5"
SecRule TX:'/^960024.*ARGS:body[und][0][value]/' ".*"
"chain,phase:2,t:none,nolog,pass"
SecRule MATCHED_VAR_NAME "TX\:(.*)"
"capture,t:none,setvar:!tx.%{tx.1},setvar:tx.anomaly_score=-3"
SecRule TX:'/^960024.*ARGS:metatags[title][value]/' ".*"
"chain,phase:2,t:none,nolog,pass"
SecRule MATCHED_VAR_NAME "TX\:(.*)"
"capture,t:none,setvar:!tx.%{tx.1},setvar:tx.anomaly_score=-3"
SecRule TX:'/^960024.*ARGS:metatags[title][default]/' ".*"
"chain,phase:2,t:none,nolog,pass"
SecRule MATCHED_VAR_NAME "TX\:(.*)"
"capture,t:none,setvar:!tx.%{tx.1},setvar:tx.anomaly_score=-3"
SecRule TX:'/^981257.*ARGS:body[und][0][value]/' ".*"
"chain,phase:2,t:none,nolog,pass"
SecRule MATCHED_VAR_NAME "TX\:(.*)"
"capture,t:none,setvar:!tx.%{tx.1},setvar:tx.anomaly_score=-5"
SecRule TX:'/^981245.*ARGS:body[und][0][value]/' ".*"
"chain,phase:2,t:none,nolog,pass"
SecRule MATCHED_VAR_NAME "TX\:(.*)"
"capture,t:none,setvar:!tx.%{tx.1},setvar:tx.anomaly_score=-5"
SecRule TX:'/^981245.*ARGS:metatags[dcterms.rights][value]/' ".*"
"chain,phase:2,t:none,nolog,pass"
SecRule MATCHED_VAR_NAME "TX\:(.*)"
"capture,t:none,setvar:!tx.%{tx.1},setvar:tx.anomaly_score=-5"
SecRule TX:'/^981245.*ARGS:metatags[dcterms.rights][default]/' ".*"
"chain,phase:2,t:none,nolog,pass"
SecRule MATCHED_VAR_NAME "TX\:(.*)"
"capture,t:none,setvar:!tx.%{tx.1},setvar:tx.anomaly_score=-5"
SecRule TX:'/^981245.*ARGS:metatags[copyright][value]/' ".*"
"chain,phase:2,t:none,nolog,pass"
SecRule MATCHED_VAR_NAME "TX\:(.*)"
"capture,t:none,setvar:!tx.%{tx.1},setvar:tx.anomaly_score=-5"
SecRule TX:'/^981245.*ARGS:metatags[copyright][default]/' ".*"
"chain,phase:2,t:none,nolog,pass"
SecRule MATCHED_VAR_NAME "TX\:(.*)"
"capture,t:none,setvar:!tx.%{tx.1},setvar:tx.anomaly_score=-5"
SecRule TX:'/^981243.*ARGS:metatags[dcterms.rights][value]/' ".*"
"chain,phase:2,t:none,nolog,pass"
SecRule MATCHED_VAR_NAME "TX\:(.*)"
"capture,t:none,setvar:!tx.%{tx.1},setvar:tx.anomaly_score=-5"
SecRule TX:'/^981243.*ARGS:metatags[dcterms.rights][default]/' ".*"
"chain,phase:2,t:none,nolog,pass"
SecRule MATCHED_VAR_NAME "TX\:(.*)"
"capture,t:none,setvar:!tx.%{tx.1},setvar:tx.anomaly_score=-5"
SecRule TX:'/^981243.*ARGS:metatags[copyright][value]/' ".*"
"chain,phase:2,t:none,nolog,pass"
SecRule MATCHED_VAR_NAME "TX\:(.*)"
"capture,t:none,setvar:!tx.%{tx.1},setvar:tx.anomaly_score=-5"
SecRule TX:'/^981243.*ARGS:metatags[copyright][default]/' ".*"
"chain,phase:2,t:none,nolog,pass"
SecRule MATCHED_VAR_NAME "TX\:(.*)"
"capture,t:none,setvar:!tx.%{tx.1},setvar:tx.anomaly_score=-5"
SecRule TX:'/^973300.*ARGS:body[und][0][value]/' ".*"
"chain,phase:2,t:none,nolog,pass"
SecRule MATCHED_VAR_NAME "TX\:(.*)"
"capture,t:none,setvar:!tx.%{tx.1},setvar:tx.anomaly_score=-5"
SecRule TX:'/^973304.*ARGS:body[und][0][value]/' ".*"
"chain,phase:2,t:none,nolog,pass"
SecRule MATCHED_VAR_NAME "TX\:(.*)"
"capture,t:none,setvar:!tx.%{tx.1},setvar:tx.anomaly_score=-5"
SecRule TX:'/^973333.*ARGS:body[und][0][value]/' ".*"
"chain,phase:2,t:none,nolog,pass"
SecRule MATCHED_VAR_NAME "TX\:(.*)"
"capture,t:none,setvar:!tx.%{tx.1},setvar:tx.anomaly_score=-5"
SecRule TX:'/^973302.*ARGS:metatags[dcterms.format][value]/' ".*"
"chain,phase:2,t:none,nolog,pass"
SecRule MATCHED_VAR_NAME "TX\:(.*)"
"capture,t:none,setvar:!tx.%{tx.1},setvar:tx.anomaly_score=-5"
SecRule TX:'/^973302.*ARGS:metatags[dcterms.format][default]/' ".*"
"chain,phase:2,t:none,nolog,pass"
SecRule MATCHED_VAR_NAME "TX\:(.*)"
"capture,t:none,setvar:!tx.%{tx.1},setvar:tx.anomaly_score=-5"
SecRule REQUEST_FILENAME "@streq /modules/statistics/statistics.php"
"chain,phase:2,t:none,nolog,pass"
SecRule TX:'/^960010/' "@streq Item 1=1" "chain,t:none"
SecRule MATCHED_VAR_NAME "TX\:(.*)"
"capture,t:none,setvar:!tx.%{tx.1},setvar:tx.anomaly_score=-3"
SecRule REQUEST_FILENAME "@streq /ckeditor/xss"
"chain,phase:2,t:none,nolog,pass"
SecRule TX:'/^960010/' "@streq Item 1=1" "chain,t:none"
SecRule MATCHED_VAR_NAME "TX\:(.*)"
"capture,t:none,setvar:!tx.%{tx.1},setvar:tx.anomaly_score=-3"
SecRule REQUEST_FILENAME "@streq /ckeditor/xss"
"chain,phase:2,t:none,nolog,pass"
SecRule TX:'/^950109/' "@streq Item 1=1" "chain,t:none"
SecRule MATCHED_VAR_NAME "TX\:(.*)"
"capture,t:none,setvar:!tx.%{tx.1},setvar:tx.anomaly_score=-2"
SecRule TX:'/^950901.*ARGS:text/' ".*" "chain,phase:2,t:none,nolog,pass"
SecRule MATCHED_VAR_NAME "TX\:(.*)"
"capture,t:none,setvar:!tx.%{tx.1},setvar:tx.anomaly_score=-5"
SecRule TX:'/^960024.*ARGS:text/' ".*" "chain,phase:2,t:none,nolog,pass"
SecRule MATCHED_VAR_NAME "TX\:(.*)"
"capture,t:none,setvar:!tx.%{tx.1},setvar:tx.anomaly_score=-3"
SecRule TX:'/^981173.*ARGS:text/' ".*" "chain,phase:2,t:none,nolog,pass"
SecRule MATCHED_VAR_NAME "TX\:(.*)"
"capture,t:none,setvar:!tx.%{tx.1},setvar:tx.anomaly_score=-3"
SecRule TX:'/^981257.*ARGS:text/' ".*" "chain,phase:2,t:none,nolog,pass"
SecRule MATCHED_VAR_NAME "TX\:(.*)"
"capture,t:none,setvar:!tx.%{tx.1},setvar:tx.anomaly_score=-5"
SecRule TX:'/^981245.*ARGS:text/' ".*" "chain,phase:2,t:none,nolog,pass"
SecRule MATCHED_VAR_NAME "TX\:(.*)"
"capture,t:none,setvar:!tx.%{tx.1},setvar:tx.anomaly_score=-5"
SecRule TX:'/^973300.*ARGS:text/' ".*" "chain,phase:2,t:none,nolog,pass"
SecRule MATCHED_VAR_NAME "TX\:(.*)"
"capture,t:none,setvar:!tx.%{tx.1},setvar:tx.anomaly_score=-5"
SecRule TX:'/^973304.*ARGS:text/' ".*" "chain,phase:2,t:none,nolog,pass"
SecRule MATCHED_VAR_NAME "TX\:(.*)"
"capture,t:none,setvar:!tx.%{tx.1},setvar:tx.anomaly_score=-5"
SecRule TX:'/^973333.*ARGS:text/' ".*" "chain,phase:2,t:none,nolog,pass"
SecRule MATCHED_VAR_NAME "TX\:(.*)"
"capture,t:none,setvar:!tx.%{tx.1},setvar:tx.anomaly_score=-5"
SecRule TX:'/^981172.*REQUEST_COOKIES:CHOCOLATECHIPSSL/' ".*"
"chain,phase:2,t:none,nolog,pass"
SecRule MATCHED_VAR_NAME "TX\:(.*)"
"capture,t:none,setvar:!tx.%{tx.1},setvar:tx.anomaly_score=-3"
SecRule TX:'/^981247.*ARGS:crmasmSelect0/' ".*"
"chain,phase:2,t:none,nolog,pass"
SecRule MATCHED_VAR_NAME "TX\:(.*)"
"capture,t:none,setvar:!tx.%{tx.1},setvar:tx.anomaly_score=-5"
SecRule TX:'/^981247.*ARGS:crmasmSelect1/' ".*"
"chain,phase:2,t:none,nolog,pass"
SecRule MATCHED_VAR_NAME "TX\:(.*)"
"capture,t:none,setvar:!tx.%{tx.1},setvar:tx.anomaly_score=-5"
SecRule TX:'/^981247.*ARGS:crmasmSelect2/' ".*"
"chain,phase:2,t:none,nolog,pass"
SecRule MATCHED_VAR_NAME "TX\:(.*)"
"capture,t:none,setvar:!tx.%{tx.1},setvar:tx.anomaly_score=-5"
SecRule TX:'/^981247.*ARGS:crmasmSelect3/' ".*"
"chain,phase:2,t:none,nolog,pass"
SecRule MATCHED_VAR_NAME "TX\:(.*)"
"capture,t:none,setvar:!tx.%{tx.1},setvar:tx.anomaly_score=-5"
SecRule TX:'/^981247.*ARGS:crmasmSelect4/' ".*"
"chain,phase:2,t:none,nolog,pass"
SecRule MATCHED_VAR_NAME "TX\:(.*)"
"capture,t:none,setvar:!tx.%{tx.1},setvar:tx.anomaly_score=-5"
--
Jacob Lear
Web Administrator
FosterClub, Inc.
---
This email has been checked for viruses by Avast antivirus software.
http://www.avast.com
_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
Owasp-modsecurity-core-rule-set@lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
