Hey Kirk, Thank you for your fully documented recipe. Glad it works. This is almost ready for a complete blogpost on the subject:
- Step 1: Running rules only on certain parameters - Step 2: Running rules only on certain parameters on certain paths Interested to write that? Ahoj, Christian On Wed, Aug 16, 2017 at 11:09:45AM +1200, Kirk Jackson wrote: > > - Remove SearchTerm from all paths but /product/search at runtime > > -> "!@beginsWith /product/search" > > > > Good luck and please report back! > > > > That works well. > > Here's my canonical "How you run the Core Rule Set's SQLi rules only on > vulnerable pages and parameters" for historical / archival reference: > > These rules disable the SQL injection rules in the Core Rule Set v3, except > for two parameters: "SearchTerm" and "foo". This is done at configuration > time, so the SecRuleUpdateTargetByID statements have to go after the Core > Rule Set is included. > > Then at runtime, we narrow down the list of pages that the SQLi rules are > run against, by removing the two parameters "SearchTerm" and "foo" > depending on which URL is being requested. As this is at runtime, these two > rules need to go before the Core Rule Set rules are included, so that the > change to their Target is done before they run. > > # Rutime: Only run the SQLi rules against SearchTerm if on the Product > Search page > SecRule REQUEST_FILENAME "!@beginsWith /product/search" \ > "id:2011,phase:2,\ > pass,nolog,\ > t:none,t:lowercase,t:normalisePath,\ > ctl:ruleRemoveTargetById=942100-942999;ARGS:SearchTerm" > > # Runtime: Only run the SQLi rules against argument foo if on the About page > > SecRule REQUEST_FILENAME "!@beginsWith /home/about" \ > "id:2012,phase:2,\ > pass,nolog,\ > t:none,t:lowercase,t:normalisePath,\ > ctl:ruleRemoveTargetById=942100-942999;ARGS:foo" > > Include modsecurity/crs-setup.conf > Include crs/*.conf > > # Configure-Time: Disable CRS's SQLi rules: > SecRuleUpdateTargetByID 942100-942999 "!REQUEST_COOKIES" > SecRuleUpdateTargetByID 942100-942999 "!REQUEST_COOKIES_NAMES" > SecRuleUpdateTargetByID 942100-942999 "!ARGS_NAMES" > SecRuleUpdateTargetByID 942100-942999 "!ARGS" > SecRuleUpdateTargetByID 942100-942999 "!XML" > > # Configure-Time: Only test SQLi for the SearchTerm & foo parameters > SecRuleUpdateTargetByID 942100-942999 "ARGS:SearchTerm" > SecRuleUpdateTargetByID 942100-942999 "ARGS:foo" > > # (Jump back up to ID 2011 and 2012 above the include for CRS, to see the > rest of the rules) > > > I appreciate your help getting this working. > > Cheers, > > Kirk -- ModSecurity courses Oct 2017 in London and Zurich https://www.feistyduck.com/training/modsecurity-training-course https://www.feistyduck.com/books/modsecurity-handbook/ mailto:christian.fol...@netnea.com twitter: @ChrFolini _______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
