I agree with Joshua that it's better to do this from within ModSecurity. This is because LocationMatch runs AFTER the phase 1 ModSecurity rules so that's the only option for adjusting phase 1 rules. Now this particular example is a phase 2 rule, however so LocationMatch should work but nice to be consistent so you don't have to worry about which phase the rule is for.
Joshua's suggestion is also better, as it only removes the request argument from the rule checking rather than turning it off completely for all arguments, cookies...etc. Anyway, as it's a phase 2 rule, what you did should work if you wanted to do it that way. I suspect the reason it is not working in LocationMatch, is that you are removing the rule BEFORE it's been defined in the config: https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#SecRuleRemoveById "Note : This directive must be specified after the rule in which it is disabling. This should be used within local custom rule files that are processed after third party rule sets. Example file - modsecurity_crs_60_customrules.conf." If you load the ModSecurity rules, and then do the LocationMatch it should work so check that. Still advise you do it Joshua's way though for the reasons given. Thanks, Barry ________________________________ > From: jrob...@gmail.com > Date: Sat, 4 Apr 2015 20:49:44 +0000 > To: ilyassi...@gmail.com; owasp-modsecurity-core-rule-set@lists.owasp.org > Subject: Re: [Owasp-modsecurity-core-rule-set] False positives Web services > > This may be an older way to get the job done, but I typically would > whitelist that specific Argument in a rule. > > > SecRule REQUEST_URI "@beginsWith /webservice" > "phase:1,t:none,t:lowercase,pass,nolog,ctl:ruleRemoveTargetById=950901;ARGS:request" > > > On Sat, Apr 4, 2015 at 1:49 AM Ilyass Kaouam > <ilyassi...@gmail.com<mailto:ilyassi...@gmail.com>> wrote: > Hi, > > Wa have this request for a web service : > > http://www.mywebsite.com/webservice?request=%3Cxmlrequest%3E%3Cheader%3E%3Cutilisateur%3Exxx%3C/utilisateur%3E%3Cmotdepasse%3Exxx%3C/motdepasse%3E%3Crequete%3Esearch%3C/requete%3E%3Clangage%3EFR%3C/langage%3E%3Cpays%3Exx%3C/pays%3E%3C/header%3E%3Cbody%3E%3Cnbrparpage%3Exx%3C/nbrparpage%3E%3Cpage%3E2%3C/page%3E%3Ctyperecherche%3Exx%3C/typerecherche%3E%3C/body%3E%3C/xmlrequest%3E<http://www.mywebsite.com/webservice?request=%3cxmlrequest%3e%3cheader%3e%3cutilisateur%3exxx%3c/utilisateur%3e%3cmotdepasse%3exxx%3c/motdepasse%3e%3crequete%3esearch%3c/requete%3e%3clangage%3eFR%3c/langage%3e%3cpays%3exx%3c/pays%3e%3c/header%3e%3cbody%3e%3cnbrparpage%3exx%3c/nbrparpage%3e%3cpage%3e2%3c/page%3e%3ctyperecherche%3exx%3c/typerecherche%3e%3c/body%3e%3c/xmlrequest%3e> > > > > mod_security forbidden this request log : > > > > Message: Access denied with code 403 (phase 2). Pattern match > "(?i:([\\s'\"`\xc2\xb4\xe2\x80\x99\xe2\x80\x98\\(\\)]*?)\\b([\\d\\w]++)([\\s'\"`\xc2\xb4\xe2\x80\x99\xe2\x80\x98\\(\\)]*?)(?:(?:=|<=>|r?like|sounds\\s+like|regexp)([\\s'\"`\xc2\xb4\xe2\x80\x99\xe2\x80\x98\\(\\)]*?)\\2\\b|(?:!=|<=|>=|<>|<|>|\\^|is\\s+not > > ..." at ARGS:request. [file > "/etc/httpd/modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"] > > [line "77"] [id "950901"] [rev "2"] [msg "SQL Injection Attack: SQL > Tautology Detected."] [data "Matched Data: utilisateur> > > xxxx > found within ARGS:request: <xmlrequest><header><utilisateur> > xxxx > </utilisateur><motdepasse> > xxxx > </motdepasse><requete>search</requete><langage> > xx > </langage><pays> > xxx > </pays></header><body><nbrparpage>10</nbrparpage><page>2</page><typerecherche> > > > Action: Intercepted (phase 2) > > Apache-Handler: proxy-server > > Stopwatch: 1427968010902873 5141 (- - -) > > Stopwatch2: 1427968010902873 5141; combined=1880, p1=97, p2=1759, p3=0, > p4=0, p5=24, sr=26, sw=0, l=0, gc=0 > > Response-Body-Transformed: Dechunked > > Producer: ModSecurity for Apache/2.7.3 (http://www.modsecurity.org/); > OWASP_CRS/2.2.9.<http://2.2.9.> > > Server: Apache > > Engine-Mode: "ENABLED" > > > I tired : > > > <LocationMatch /webservice> > > SecRuleRemoveByID 950901 > > </LocationMatch> > > > But I > 'm afraid > its not > Safely > > How I can allow my web services Safely > > ? > > Thank you. > > > > > _______________________________________________ > Owasp-modsecurity-core-rule-set mailing list > Owasp-modsecurity-core-rule-set@lists.owasp.org<mailto:Owasp-modsecurity-core-rule-set@lists.owasp.org> > > https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set > > _______________________________________________ > Owasp-modsecurity-core-rule-set mailing list > Owasp-modsecurity-core-rule-set@lists.owasp.org > https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set _______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
