Hi,
Thank you,
Finally I use this:
SecRuleUpdateTargetById 981245 !ARGS:/^SubmitCercle
And I add the parameter in:
SecRule REQUEST_COOKIES|!REQUEST_COOKIES
:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML|!
ARGS:/message/|!ARGS:/left/|!ARGS:/right/:/*
"(?i:(?:.*?[)\da-f\"'`´’‘][\"'`´’‘](?\
:[\"'`´’‘].*?[\"'`´’‘]|\Z|[^\"'`´’‘]+))|(?:\Wselect.+\W*?from)|((?:select|create|rename|truncate|load|alter|delete|update|insert|desc)\s*?\(\s*?space\s*?\())"
"phase:2,capture,t:none,t:urlDecodeUni,blo\
ck,msg:'Detects MySQL comment-/space-obfuscated injections and backtick
termination',id:'981257',tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',logdata:'Matched
Data: %{TX.0} found within %{MATCHED_VAR_NAME}\
: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.id
}-%{rule.msg}',setvar:tx.sql_injection_score=+1,setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{tx.msg}-OWASP_CRS/WEB_ATTACK/SQ
\
Thank you :)
2015-12-28 21:24 GMT+00:00 Chaim Sanders <csand...@trustwave.com>:
> This is probably the opposite of what you want to do.
> Not only does it not work with your link because of the extra slash (it is
> a dollar sign in your link) but this will turn off ALL the rules for any
> request that contains that keyword anywhere in it.
>
> Take a look at this post:
> https://www.trustwave.com/Resources/SpiderLabs-Blog/ModSecurity-Advanced-Topic-of-the-Week--(Updated)-Exception-Handling/
> To get a better idea of what you should be doing :). If you are confused
> by the post reach back out and I’ll work with you some more.
>
> From: Ilyass Kaouam <ilyassi...@gmail.com>
> Reply-To: "ilyassi...@gmail.com" <ilyassi...@gmail.com>
> Date: Monday, December 28, 2015 at 5:05 AM
> To: Chaim Sanders <csand...@trustwave.com>
> Cc: "owasp-modsecurity-core-rule-set@lists.owasp.org" <
> owasp-modsecurity-core-rule-set@lists.owasp.org>
> Subject: Re: [Owasp-modsecurity-core-rule-set] Exclude a request
>
> Hi Chaim,
>
> Thank you for you reply,
>
> SecRule REQUEST_URI "^/SubmitCercle"
> id:1,t:none,t:lowercase,nolog,phase:1,allow,ctl:ruleEngine=Off,ctl:auditEngine=Off
>
> You would like say like this ?
>
> Thank you
>
>
>
> 2015-12-23 18:25 GMT+00:00 Chaim Sanders <csand...@trustwave.com>:
>
>> The ideal way to do this with OWASP crs is to exclude that variable from
>> being inspected by the given rule. This can be done by using the
>> secupdatetargetbyid directive. To this directive you may pass ! Action and
>> also the id of the rule causing the issue. For an example please see the
>> modsecurity reference manual.
>> When not using OWASP you would probably add chained portions to the rule
>> to exclude it from firing whenever the request URL and parameters were
>> present. Doing this with OWASP will cause issues with updates potentially.
>> On Dec 23, 2015 11:41 AM, Ilyass Kaouam <ilyassi...@gmail.com> wrote:
>>
>> Hi,
>>
>> Hello,
>>
>> I have a question please
>>
>> I have a text field in which the user enters a message, the WAF blocks
>> this request
>> here is the url:
>>
>> POST / servlet / EspaceClientServlet?Action=Ajax$SubmitCercle
>>
>> I want to exclude this request that is to say to waf do not filter
>> queries with "POST / servlet/EspaceClientServlet?Action=Ajax$SubmitCercle"
>>
>> Can you please tell me how?
>>
>> Thank you
>>
>> --
>> *Ilyass kaouam*
>> *Systems administrator*
>> * at Inforisk Group Finaccess *
>>
>>
>> ------------------------------
>>
>> This transmission may contain information that is privileged,
>> confidential, and/or exempt from disclosure under applicable law. If you
>> are not the intended recipient, you are hereby notified that any
>> disclosure, copying, distribution, or use of the information contained
>> herein (including any reliance thereon) is strictly prohibited. If you
>> received this transmission in error, please immediately contact the sender
>> and destroy the material in its entirety, whether in electronic or hard
>> copy format.
>>
>
>
>
> --
> *Ilyass kaouam*
> *Systems administrator*
> * at Inforisk Group Finaccess *
>
> ------------------------------
>
> This transmission may contain information that is privileged,
> confidential, and/or exempt from disclosure under applicable law. If you
> are not the intended recipient, you are hereby notified that any
> disclosure, copying, distribution, or use of the information contained
> herein (including any reliance thereon) is strictly prohibited. If you
> received this transmission in error, please immediately contact the sender
> and destroy the material in its entirety, whether in electronic or hard
> copy format.
>
--
*Ilyass kaouam*
*Systems administrator*
* at Inforisk Group Finaccess *
_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
Owasp-modsecurity-core-rule-set@lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
