Hi,
I'm trying to allow a certain domain to be exempted from the core RFI rule.
What I've done is modified the relevant rule in
modsecurity_crs_40_generic_attacks.conf:
SecRule ARGS "^(?:ht|f)tps?://(.*)$" \
"chain,phase:2,rev:'3',ver:'OWASP_CRS/2.2.9',maturity:'9',accuracy:'9',t:none,capture,ctl:auditLogParts=+E,block,msg:'Possible
Remote File Inclusion (RFI) Attack: Off-Domain
Reference/Link',logdata:'Matched Data: %{TX.0} found within
%{MATCHED_VAR_NAME}:
%{MATCHED_VAR}',id:'950120',severity:'2',tag:'OWASP_CRS/WEB_ATTACK/RFI'"
SecRule TX:1 "!@contains abc" "chain"
SecRule TX:1 "!@beginsWith %{request_headers.host}"
"setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RFI-%{matched_var_name}=%{tx.1}"
And this works. However, an upgrade of the CRS will wipe this out and it will
have to be manually added again.
How would I go about inserting a "link" into the chain from an external file
(e.g, modsecurity_crs_61_customrules.conf)?
Thanks,
Brian
_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
Owasp-modsecurity-core-rule-set@lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
