On Tue, Apr 26, 2016 at 09:06:44PM +0000, Colin MacAllister wrote: > That did it. I was thinking that the whitelist needed to be loaded > first so that the rule would be appropriately skipped, but of course > that wouldn’t matter if they were all loaded into memory first.
Yes, it's a nuisance. In fact most tuning works better when done _after_ the CRS are loaded. Not without exceptions, of course. :) Ahoj, Christian > > > > Thanks, and thanks, Barry for your suggestions. > > > > Sent from Mail<https://go.microsoft.com/fwlink/?LinkId=550986> for > Windows 10 > > > > From: Christian Folini<mailto:christian.fol...@netnea.com> Sent: > Tuesday, April 26, 2016 3:25 PM To: Colin > MacAllister<mailto:cmacallis...@probono.net> Cc: OWASP > List<mailto:owasp-modsecurity-core-rule-set@lists.owasp.org> Subject: > Re: [Owasp-modsecurity-core-rule-set] rules match despite updated > target list > > > > Colin, > > Please try and include your whitelist.conf _after_ the owasp_crs. > > Ahoj, > > Christian > > On Tue, Apr 26, 2016 at 06:34:33PM +0000, Colin MacAllister wrote: > > I have a cookie by the name of CFAUTHORIZATION_cfadmin which is > > triggering a sql injection OWASP base rule. I have in the past > > successfully circumvented it with > > > > SecRuleUpdateTargetById 981318 > > "!REQUEST_COOKIES_NAMES:CFAUTHORIZATION_cfadmin" > > > > I have this rule in a file called whitelist.conf, and this is being > > included in my modsecurity_iis.conf file: > > > > Include modsecurity.conf Include modsecurity_crs_10_setup.conf > > Include whitelist.conf Include owasp_crs\base_rules\*.conf #Include > > pbncustom.conf > > > > Modsecurity_iis.conf is being referred to as the base config file in > > the IIS directive in the application host file like this: > > > > <ModSecurity enabled="true" configFile="C:\Program > > Files\ModSecurity IIS\modsecurity_iis.conf" /> > > > > But when I make a request, each of the http gets in a request > > triggers the warning about the CFAUTHORIZATION_cfadmin cookie. (The > > problem is that the value for the cookie has double quotes around > > it, which is as far as I know not changeable.) > > > > [client 127.0.0.1:51619] ModSecurity: Access denied > > with code 403 (phase 2). Pattern match > > > > "(^[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98;]+|[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98;]+$)" > > at REQUEST_COOKIES:CFAUTHORIZATION_cfadmin. > > > > Does anyone know what might be going on here? I had some confusion > > about the SecRuleUpdateTargetByID directive, since some sources made > > Target plural, and some had it in singular – even in the same > > resource. > > > > Sent from Mail<https://go.microsoft.com/fwlink/?LinkId=550986> for > > Windows 10 > > > > > _______________________________________________ > > Owasp-modsecurity-core-rule-set mailing list > > Owasp-modsecurity-core-rule-set@lists.owasp.org > > https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set > > > -- mailto:christian.fol...@netnea.com http://www.christian-folini.ch > twitter: @ChrFolini > _______________________________________________ > Owasp-modsecurity-core-rule-set mailing list > Owasp-modsecurity-core-rule-set@lists.owasp.org > https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set _______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
