Re: [Owasp-modsecurity-core-rule-set] Possibility of fine tuning libinjection results

Thu, 12 Oct 2017 06:57:21 -0700 


Hi Bob

To determine what exactly is triggering the rule, you can view the error logs 
that are created in response to the detected rule. Data matched variable is 
going to show exactly what is being detected as a threat.

You can disable the mentioned rule just for this particular URI like:

SecRule REQUEST_URI "@beginsWith /dhis/api/26/dimensions.json" 
"id:10000,phase:1,pass,nolog,ctl:ruleRemoveById=942100"

You will have to include the above rule before the rule file 942100. 

Regards
Waqas Ali
----------------------------------------------------------------------

Message: 1
Date: Thu, 12 Oct 2017 13:39:53 +0200
From: Bob Jolliffe <bobjolli...@gmail.com>
To: owasp-modsecurity-core-rule-set@lists.owasp.org
Subject: [Owasp-modsecurity-core-rule-set] Possibility of fine tuning
        libinjection results
Message-ID:
        <CACd=f9ehJ9t24UG9fJch=__59q4rkb4jtubbzc2v_dmr5vu...@mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"

Hi

I am not very experienced with owcrs so please bear with me if I say
silly things.

I have a problem that rule 942100 (libinjection) is getting falsely
triggered in response to a legitimate api call on our application.  In
particular the the offending URL is:

GET 
/dhis/api/26/dimensions.json?fields=id,displayName~rename(name),dimensionType&paging=false

Which triggers 942100 with a fingerprint of 'nok(n'.

I don't really want to disable the whole rule as I am sure
libinjection is valuable and it seems it is just this nok thing which
is tripping.   I also will not easily get developers to change the api
in a hurry.  Does anybody know is there a way to keep 942100 but just
disable responding to this particular fingerprint?

Bonus question: can anybody tell me what it is exactly in the URL
which is upsetting libinjection?  I am suspecting it has to do with
'rename(name)'

Regards
Bob


------------------------------
_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
Owasp-modsecurity-core-rule-set@lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set

Reply via email to