Thank you Manuel Spartan for the response. Yes it is always good to create very
specific disable rules to make sure the rules are ignored only for the specific
requests.
@Bob Jolliffe?, please take note of the SecRule from Manuel Spartan. These are
more specific and the matching rule ID will only be ignored for the request
causing problem.
Regards
Waqas Ali
________________________________
From: Manuel Spartan <spartan...@gmail.com>
Sent: Friday, October 13, 2017 3:29 PM
To: Waqas Ali Khan (47247)
Cc: owasp-modsecurity-core-rule-set@lists.owasp.org
Subject: Re: [Owasp-modsecurity-core-rule-set] Possibility of fine tuning
libinjection results
You can do some checks before killing the rule by chaining that rule and
verifying the contents of "fields" if it is always the same use a streq as the
example below, otherwise do a rx including a pattern that match your different
values.
SecRule REQUEST_URI "@beginsWith /dhis/api/26/dimensions.json"
"id:10000,phase:1,pass,nolog,chain"
SecRule ARGS:fields "@streq id,displayName~rename(name),dimensionType"
"ctl:ruleRemoveTargetById=942100;ARGS:fields"
You may want to use phase 2 instead of phase 1 or viceversa, if you have issues
depending of your setup
2017-10-12 16:00 GMT+02:00 Waqas Ali Khan (47247)
<waqas.k...@nadra.gov.pk<mailto:waqas.k...@nadra.gov.pk>>:
The ctl action should be ruleRemoveTargetById. Sorry for the typo. So the final
rule should be:
SecRule REQUEST_URI "@beginsWith /dhis/api/26/dimensions.json"
"id:10000,phase:1,pass,nolog,ctl:ruleRemoveTargetById=942100"
Regards
Waqas Ali
________________________________________
From: Waqas Ali Khan (47247)
Sent: Thursday, October 12, 2017 6:56 PM
To:
owasp-modsecurity-core-rule-set@lists.owasp.org<mailto:owasp-modsecurity-core-rule-set@lists.owasp.org>
Subject: Re: [Owasp-modsecurity-core-rule-set] Possibility of fine tuning
libinjection results
Hi Bob
To determine what exactly is triggering the rule, you can view the error logs
that are created in response to the detected rule. Data matched variable is
going to show exactly what is being detected as a threat.
You can disable the mentioned rule just for this particular URI like:
SecRule REQUEST_URI "@beginsWith /dhis/api/26/dimensions.json"
"id:10000,phase:1,pass,nolog,ctl:ruleRemoveById=942100"
You will have to include the above rule before the rule file 942100.
Regards
Waqas Ali
----------------------------------------------------------------------
Message: 1
Date: Thu, 12 Oct 2017 13:39:53 +0200
From: Bob Jolliffe <bobjolli...@gmail.com<mailto:bobjolli...@gmail.com>>
To:
owasp-modsecurity-core-rule-set@lists.owasp.org<mailto:owasp-modsecurity-core-rule-set@lists.owasp.org>
Subject: [Owasp-modsecurity-core-rule-set] Possibility of fine tuning
libinjection results
Message-ID:
<CACd=f9ehJ9t24UG9fJch=__59q4rkb4jtubbzc2v_dmr5vu...@mail.gmail.com<mailto:59q4rkb4jtubbzc2v_dmr5vu...@mail.gmail.com>>
Content-Type: text/plain; charset="UTF-8"
Hi
I am not very experienced with owcrs so please bear with me if I say
silly things.
I have a problem that rule 942100 (libinjection) is getting falsely
triggered in response to a legitimate api call on our application. In
particular the the offending URL is:
GET
/dhis/api/26/dimensions.json?fields=id,displayName~rename(name),dimensionType&paging=false
Which triggers 942100 with a fingerprint of 'nok(n'.
I don't really want to disable the whole rule as I am sure
libinjection is valuable and it seems it is just this nok thing which
is tripping. I also will not easily get developers to change the api
in a hurry. Does anybody know is there a way to keep 942100 but just
disable responding to this particular fingerprint?
Bonus question: can anybody tell me what it is exactly in the URL
which is upsetting libinjection? I am suspecting it has to do with
'rename(name)'
Regards
Bob
------------------------------
_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
Owasp-modsecurity-core-rule-set@lists.owasp.org<mailto:Owasp-modsecurity-core-rule-set@lists.owasp.org>
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
Owasp-modsecurity-core-rule-set@lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
