Hi Brian, Put an include file before loading the CRS rules with all of your customization, try not to work in the CRS files as you will get many problems to replicate your changes after every upgrade.
Regards, Manuel From: owasp-modsecurity-core-rule-set-boun...@lists.owasp.org [mailto:owasp-modsecurity-core-rule-set-boun...@lists.owasp.org] On Behalf Of Brian Davis (bridavis) Sent: vendredi 26 février 2016 05:45 To: owasp-modsecurity-core-rule-set@lists.owasp.org Subject: [Owasp-modsecurity-core-rule-set] Interesting into a custom SecRule into CRS chain Hi, I'm trying to allow a certain domain to be exempted from the core RFI rule. What I've done is modified the relevant rule in modsecurity_crs_40_generic_attacks.conf: SecRule ARGS "^(?:ht|f)tps?://(.*)$" \ "chain,phase:2,rev:'3',ver:'OWASP_CRS/2.2.9',maturity:'9',accuracy:'9',t:none,capture,ctl:auditLogParts=+E,block,msg:'Possible Remote File Inclusion (RFI) Attack: Off-Domain Reference/Link',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',id:'950120',severity:'2',tag:'OWASP_CRS/WEB_ATTACK/RFI'" SecRule TX:1 "!@contains abc" "chain" SecRule TX:1 "!@beginsWith %{request_headers.host}<mailto:!@beginsWith%20%25%7brequest_headers.host%7d>" "setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RFI-%{matched_var_name}=%{tx.1}" And this works. However, an upgrade of the CRS will wipe this out and it will have to be manually added again. How would I go about inserting a "link" into the chain from an external file (e.g, modsecurity_crs_61_customrules.conf)? Thanks, Brian ________________________________ This message and any attachments are intended solely for the addressees and may contain confidential information. Any unauthorized use or disclosure, either whole or partial, is prohibited. E-mails are susceptible to alteration. Our company shall not be liable for the message if altered, changed or falsified. If you are not the intended recipient of this message, please delete it and notify the sender. Although all reasonable efforts have been made to keep this transmission free from viruses, the sender will not be liable for damages caused by a transmitted virus.
_______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
