Hey Kirk, Thank you for trying this out so quickly. This is very helpful.
On Tue, Aug 15, 2017 at 09:12:37PM +1200, Kirk Jackson wrote: > I think by "steering commando rules" you mean the rules that check which > paranoia level is set, and then jump to the marker at the end of the file? Exactly. > The following config then works! > > Include modsecurity/crs-setup.conf > Include crs/*.conf > > # Disable CRS's SQLi rules: > SecRuleUpdateTargetByID 942100-942999 "!REQUEST_COOKIES" > SecRuleUpdateTargetByID 942100-942999 "!REQUEST_COOKIES_NAMES" > SecRuleUpdateTargetByID 942100-942999 "!ARGS_NAMES" > SecRuleUpdateTargetByID 942100-942999 "!ARGS" > SecRuleUpdateTargetByID 942100-942999 "!XML" > > # Only test SQLi for the SearchTerm parameter > SecRuleUpdateTargetByID 942100-942999 "ARGS:SearchTerm" Sweet. Glad it works. > However, the ctl:ruleUpdateTargetById action doesn't work - I was lead > astray by the Mod Security Handbook, which is a bit out of date (at this > url: > https://www.feistyduck.com/library/modsecurity-handbook-2ed/online/xx1-directives.html#N15992). > It looks like that got removed: > > Note : There was a ctl:ruleUpdateTargetById introduced in 2.6.0 and removed > from the code in 2.7.0. JSON was added as part of v2.8.0-rc1 > (from https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#ctl) Oops. That's a clear factual mistake in the book. I think I need to talk to the author. But on a more serious note: This is the first real technical bug in the book. We had a bug report before but it was more a missing comment. Your discovery points to a factual error I should have noticed. Sorry. Do you have a paper copy of the book? If not, then please give me your address and I will have a copy be sent your way. Ironically, it will come with the bug, but I really appreciate people submitting errors the encounter in the book. > If you have any ideas on how to further restrict it so I can rule the SQLi > rules for only one page + parameter combo, I'm interested to know! With ctl:ruleUpdateTargetById being no longer an option, we need a different approach. This is turning more and more into a wild hack, but let's try out the following: - Remove all the ARGS at startup time - Add ARGS:SearchTerm at startup time - Remove SearchTerm from all paths but /product/search at runtime -> "!@beginsWith /product/search" Good luck and please report back! Christian -- ModSecurity courses Oct 2017 in London and Zurich https://www.feistyduck.com/training/modsecurity-training-course https://www.feistyduck.com/books/modsecurity-handbook/ mailto:christian.fol...@netnea.com twitter: @ChrFolini _______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
