Did you try sanitizeArgs in your custom rules After file ? you can also specify pattern here I believe otherwise you will have to keep adding new/updated fields here that can possibly have sensitive data.
SecAction "phase:5,id:200,nolog,pass,\ sanitiseArg:password,\ sanitiseArg:confirmPassword,\ Thanks Subin From: owasp-modsecurity-core-rule-set-boun...@lists.owasp.org [mailto:owasp-modsecurity-core-rule-set-boun...@lists.owasp.org] On Behalf Of Charles Farinella Sent: Wednesday, June 03, 2015 10:22 AM To: Joshua Roback Cc: owasp-modsecurity-core-rule-set@lists.owasp.org Subject: Re: [Owasp-modsecurity-core-rule-set] How to prevent request body logging? Thanks for the suggestions, but I don't think either of these will solve our problem permanently. The 'nolog' option is rule or status code dependent and we want to make sure that *no* request bodies are ever printed to the Nginx log. The 'SecAuditLogParts' option seems to only affect what gets sent to the audit logs, we've tried this. Mod_security docs say that "Messages at levels 1-3 are *always* copied to the Apache error log." We are assuming that this applies equally to Nginx logs, and this is what we need to address. We have clients sending credit card numbers in request bodies and they are triggering mod_security SQL injection rules which then write these bodies to the Nginx logs exposing the CC number. We know that we can disable these specific rules, but are afraid that at some future time, or after an upgrade, these or some other rules will be triggered again exposing sensitive information. Does OWASP have a "best practices" procedure for protecting this kind of data in a PCI environment? How can we prevent *all* level 1-3 messages from being sent to the Nginx log? Thanks again for your help. --charlie On Tue, Jun 2, 2015 at 4:08 PM, Joshua Roback <jrob...@gmail.com<mailto:jrob...@gmail.com>> wrote: Inside your base modsecurity.conf file, I believe the following directive will allow you to choose which pars are logged based on the assigned letter values. Example below will remove REQUEST and RESPONSE body: SecAuditLogParts ABIFEHZ On Tue, Jun 2, 2015 at 11:39 AM Chaim Sanders <csand...@trustwave.com<mailto:csand...@trustwave.com>> wrote: Hey Charles, You can use the nolog action to prevent ModSecurity from adding entries. For instance: SecRule ARGS:test "Test" "block,status:403,nolog,id:1" Chaim Sanders Security Researcher, SpiderLabs Trustwave | SMART SECURITY ON DEMAND www.trustwave.com<http://www.trustwave.com/> From: owasp-modsecurity-core-rule-set-boun...@lists.owasp.org<mailto:owasp-modsecurity-core-rule-set-boun...@lists.owasp.org> [mailto:owasp-modsecurity-core-rule-set-boun...@lists.owasp.org<mailto:owasp-modsecurity-core-rule-set-boun...@lists.owasp.org>] On Behalf Of Charles Farinella Sent: Tuesday, June 2, 2015 10:38 AM To: owasp-modsecurity-core-rule-set@lists.owasp.org<mailto:owasp-modsecurity-core-rule-set@lists.owasp.org> Subject: [Owasp-modsecurity-core-rule-set] How to prevent request body logging? We are seeing request bodies logged to our nginx logs. mod_security documentation says that "Messages at levels 1-3 are always copied to the Apache error log." Does anyone know how we can prevent this behavior? -- Charles Farinella Systems Administrator Appropriate Solutions, Inc. 603-924-6079<tel:603-924-6079> ________________________________ This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. _______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org<mailto:Owasp-modsecurity-core-rule-set@lists.owasp.org> https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set -- Charles Farinella Systems Administrator Appropriate Solutions, Inc. 603-924-6079 Barclaycard www.barclaycardus.com<http://www.barclaycardus.com> This email and any files transmitted with it may contain confidential and/or proprietary information. It is intended solely for the use of the individual or entity who is the intended recipient. Unauthorized use of this information is prohibited. If you have received this in error, please contact the sender by replying to this message and delete this material from any system it may be on.
_______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
