Re: [Owasp-modsecurity-core-rule-set] rules match despite updated target list

Tue, 26 Apr 2016 13:46:00 -0700 

Thanks for the explanation. So it’s always assumed you are talking about the 
REQUEST_COOKIE_NAME, and the REQUEST_COOKIES part just tells you what to 
ignore. Cool.

However, it’s still not working. Now I have

                SecRuleUpdateTargetById 981318 
"!REQUEST_COOKIES:CFAUTHORIZATION_cfadmin"

The logs show everything starting up fine, and only one block – the first time 
it runs into that cookie.

Sent from Mail<https://go.microsoft.com/fwlink/?LinkId=550986> for Windows 10

From: Barry Pollard<mailto:barry_poll...@hotmail.com>
Sent: Tuesday, April 26, 2016 3:51 PM
To: Colin MacAllister<mailto:cmacallis...@probono.net>
Cc: OWASP CRS Mailing 
List<mailto:owasp-modsecurity-core-rule-set@lists.owasp.org>
Subject: Re: [Owasp-modsecurity-core-rule-set] rules match despite updated 
target list

Understand that.

My version of the exception means "exclude rule 981318 from checking the value 
of the cookie which has the name CFAUTH..."

You're version of the rule means  "exclude rule 981318 from checking the name 
of the cookie which has the name CFAUTH..."

Both versions of the exclude config are specific to that cookie name.

The log you've shown suggests it's the cookie value (for cookie CFAUTH..) which 
is triggering the rule not the cookie NAME itself. This makes sense if the 
cookie value contains double quotes as that is basically what rule 981318 
checks for.

There's rarely a need to check the cookie name, so mostly you want to check the 
value. However if your cookie name included an SQL word (e.g. if your cookie 
was called abcTRUNCATE123 for example) then you might want to exclude the 
cookie name from SQL injection rules.

Thanks,
Barry

On 26 Apr 2016, at 20:38, Colin MacAllister 
<cmacallis...@probono.net<mailto:cmacallis...@probono.net>> wrote:


I'm trying to remove the rule when the cookie *name* is that CFAUTH... The 
cookie value changes with each session. What the have in common are enclosing 
double quotes, but I only wish to whitelist them when the cookie name is as 
above.

from my phone

On Apr 26, 2016 3:10 PM, Barry Pollard 
<barry_poll...@hotmail.com<mailto:barry_poll...@hotmail.com>> wrote:
You are whitelisting the cookie name and not its value.

Try this:

    SecRuleUpdateTargetById 981318 "!REQUEST_COOKIES:CFAUTHORIZATION_cfadmin"

Thanks,
Barry

> On 26 Apr 2016, at 19:47, Colin MacAllister 
> <cmacallis...@probono.net<mailto:cmacallis...@probono.net>> wrote:
>
> SecRuleUpdateTargetById 981318 
> "!REQUEST_COOKIES_NAMES:CFAUTHORIZATION_cfadmin"

_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
Owasp-modsecurity-core-rule-set@lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set

Reply via email to