Hi Joshua, Thank you for your reply it's clear. Barry thank you for your comprehensive explanation :)
2015-04-04 22:13 GMT+01:00 Barry Pollard <barry_poll...@hotmail.com>: > I agree with Joshua that it's better to do this from within ModSecurity. > This is because LocationMatch runs AFTER the phase 1 ModSecurity rules so > that's the only option for adjusting phase 1 rules. Now this particular > example is a phase 2 rule, however so LocationMatch should work but nice to > be consistent so you don't have to worry about which phase the rule is for. > > Joshua's suggestion is also better, as it only removes the request > argument from the rule checking rather than turning it off completely for > all arguments, cookies...etc. > > Anyway, as it's a phase 2 rule, what you did should work if you wanted to > do it that way. I suspect the reason it is not working in LocationMatch, is > that you are removing the rule BEFORE it's been defined in the config: > > https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#SecRuleRemoveById > "Note : This directive must be specified after the rule in which it is > disabling. This should be used within local custom rule files that are > processed after third party rule sets. Example file - > modsecurity_crs_60_customrules.conf." > If you load the ModSecurity rules, and then do the LocationMatch it should > work so check that. Still advise you do it Joshua's way though for the > reasons given. > > Thanks, > Barry > > ________________________________ > > From: jrob...@gmail.com > > Date: Sat, 4 Apr 2015 20:49:44 +0000 > > To: ilyassi...@gmail.com; > owasp-modsecurity-core-rule-set@lists.owasp.org > > Subject: Re: [Owasp-modsecurity-core-rule-set] False positives Web > services > > > > This may be an older way to get the job done, but I typically would > > whitelist that specific Argument in a rule. > > > > > > SecRule REQUEST_URI "@beginsWith /webservice" > "phase:1,t:none,t:lowercase,pass,nolog,ctl:ruleRemoveTargetById=950901;ARGS:request" > > > > On Sat, Apr 4, 2015 at 1:49 AM Ilyass Kaouam > > <ilyassi...@gmail.com<mailto:ilyassi...@gmail.com>> wrote: > > Hi, > > > > Wa have this request for a web service : > > > > > http://www.mywebsite.com/webservice?request=%3Cxmlrequest%3E%3Cheader%3E%3Cutilisateur%3Exxx%3C/utilisateur%3E%3Cmotdepasse%3Exxx%3C/motdepasse%3E%3Crequete%3Esearch%3C/requete%3E%3Clangage%3EFR%3C/langage%3E%3Cpays%3Exx%3C/pays%3E%3C/header%3E%3Cbody%3E%3Cnbrparpage%3Exx%3C/nbrparpage%3E%3Cpage%3E2%3C/page%3E%3Ctyperecherche%3Exx%3C/typerecherche%3E%3C/body%3E%3C/xmlrequest%3E > < > http://www.mywebsite.com/webservice?request=%3cxmlrequest%3e%3cheader%3e%3cutilisateur%3exxx%3c/utilisateur%3e%3cmotdepasse%3exxx%3c/motdepasse%3e%3crequete%3esearch%3c/requete%3e%3clangage%3eFR%3c/langage%3e%3cpays%3exx%3c/pays%3e%3c/header%3e%3cbody%3e%3cnbrparpage%3exx%3c/nbrparpage%3e%3cpage%3e2%3c/page%3e%3ctyperecherche%3exx%3c/typerecherche%3e%3c/body%3e%3c/xmlrequest%3e > > > > > > > > mod_security forbidden this request log : > > > > > > > > Message: Access denied with code 403 (phase 2). Pattern match > > > "(?i:([\\s'\"`\xc2\xb4\xe2\x80\x99\xe2\x80\x98\\(\\)]*?)\\b([\\d\\w]++)([\\s'\"`\xc2\xb4\xe2\x80\x99\xe2\x80\x98\\(\\)]*?)(?:(?:=|<=>|r?like|sounds\\s+like|regexp)([\\s'\"`\xc2\xb4\xe2\x80\x99\xe2\x80\x98\\(\\)]*?)\\2\\b|(?:!=|<=|>=|<>|<|>|\\^|is\\s+not > > ..." at ARGS:request. [file > > > "/etc/httpd/modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"] > > [line "77"] [id "950901"] [rev "2"] [msg "SQL Injection Attack: SQL > > Tautology Detected."] [data "Matched Data: utilisateur> > > > > xxxx > > found within ARGS:request: <xmlrequest><header><utilisateur> > > xxxx > > </utilisateur><motdepasse> > > xxxx > > </motdepasse><requete>search</requete><langage> > > xx > > </langage><pays> > > xxx > > > </pays></header><body><nbrparpage>10</nbrparpage><page>2</page><typerecherche> > > > > Action: Intercepted (phase 2) > > > > Apache-Handler: proxy-server > > > > Stopwatch: 1427968010902873 5141 (- - -) > > > > Stopwatch2: 1427968010902873 5141; combined=1880, p1=97, p2=1759, p3=0, > > p4=0, p5=24, sr=26, sw=0, l=0, gc=0 > > > > Response-Body-Transformed: Dechunked > > > > Producer: ModSecurity for Apache/2.7.3 (http://www.modsecurity.org/); > > OWASP_CRS/2.2.9.<http://2.2.9.> > > > > Server: Apache > > > > Engine-Mode: "ENABLED" > > > > > > I tired : > > > > > > <LocationMatch /webservice> > > > > SecRuleRemoveByID 950901 > > > > </LocationMatch> > > > > > > But I > > 'm afraid > > its not > > Safely > > > > How I can allow my web services Safely > > > > ? > > > > Thank you. > > > > > > > > > > _______________________________________________ > > Owasp-modsecurity-core-rule-set mailing list > > Owasp-modsecurity-core-rule-set@lists.owasp.org<mailto: > Owasp-modsecurity-core-rule-set@lists.owasp.org> > > https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set > > > > _______________________________________________ > > Owasp-modsecurity-core-rule-set mailing list > > Owasp-modsecurity-core-rule-set@lists.owasp.org > > https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set > >
_______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
