Ok well then to Christian's point: Are you specifying this exception AFTER the rule itself is defined? At the moment it looks like your whitelist.conf file is loaded BEFORE the rules themselves. Annoyingly some exceptions (using ctl) do need specified before but this one needs specified after so it's a little confusing. I usually have the following:
Include modsecurity.conf Include modsecurity_crs_10_setup.conf Include whitelist_before.conf Include owasp_crs\base_rules\*.conf Include whitelist_after.conf And in this case the exception needs to be in whitelist_after.conf file. Also are you sure that it's still blocking on rule 981318 and not another rule? Can you include the full log line? You can also turn on debug logging and you'll find a detailed log in there which might help you figure it out. I also presume you did restart your webserver to pick up the new config? Thanks, Barry > On 26 Apr 2016, at 21:28, Colin MacAllister <cmacallis...@probono.net> wrote: > > Thanks for the explanation. So it’s always assumed you are talking about the > REQUEST_COOKIE_NAME, and the REQUEST_COOKIES part just tells you what to > ignore. Cool. > > However, it’s still not working. Now I have > > SecRuleUpdateTargetById 981318 > "!REQUEST_COOKIES:CFAUTHORIZATION_cfadmin" > > The logs show everything starting up fine, and only one block – the first > time it runs into that cookie. > > Sent from Mail for Windows 10 > > From: Barry Pollard > Sent: Tuesday, April 26, 2016 3:51 PM > To: Colin MacAllister > Cc: OWASP CRS Mailing List > Subject: Re: [Owasp-modsecurity-core-rule-set] rules match despite updated > target list > > Understand that. > > My version of the exception means "exclude rule 981318 from checking the > value of the cookie which has the name CFAUTH..." > > You're version of the rule means "exclude rule 981318 from checking the name > of the cookie which has the name CFAUTH..." > > Both versions of the exclude config are specific to that cookie name. > > The log you've shown suggests it's the cookie value (for cookie CFAUTH..) > which is triggering the rule not the cookie NAME itself. This makes sense if > the cookie value contains double quotes as that is basically what rule 981318 > checks for. > > There's rarely a need to check the cookie name, so mostly you want to check > the value. However if your cookie name included an SQL word (e.g. if your > cookie was called abcTRUNCATE123 for example) then you might want to exclude > the cookie name from SQL injection rules. > > Thanks, > Barry > > On 26 Apr 2016, at 20:38, Colin MacAllister <cmacallis...@probono.net> wrote: > >> I'm trying to remove the rule when the cookie *name* is that CFAUTH... The >> cookie value changes with each session. What the have in common are >> enclosing double quotes, but I only wish to whitelist them when the cookie >> name is as above. >> >> from my phone >> >> On Apr 26, 2016 3:10 PM, Barry Pollard <barry_poll...@hotmail.com> wrote: >> You are whitelisting the cookie name and not its value. >> >> Try this: >> >> SecRuleUpdateTargetById 981318 "!REQUEST_COOKIES:CFAUTHORIZATION_cfadmin" >> >> Thanks, >> Barry >> >> > On 26 Apr 2016, at 19:47, Colin MacAllister <cmacallis...@probono.net> >> > wrote: >> > >> > SecRuleUpdateTargetById 981318 >> > "!REQUEST_COOKIES_NAMES:CFAUTHORIZATION_cfadmin"
_______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
