Thanks Waqas and Manuel for your valuable suggestions. And sorry for replying here to my own post instead of yours - I was receiving just the digest not the individual mails.
As I said, your suggestions are valuable learning for me, but don't really get to the heart of my problem. Unfortunately this is not going to be just one url. There are many which will use the same pattern of parameters. What I am really trying to get to is the fingerprint result of libinjection. My understanding is that libinjection returns a 1 or 0 result indicated attack detected, but also the fingerprint of the attack detected. In this case 'nok(n' . Is there some way I can say to respect the result of libinjection but ignore this particular fingerprint? That seemed to be the intent of early discussion of integrating libinjection back in 2013 (https://sourceforge.net/p/mod-security/mailman/message/30387182/). The syntax proposed in that message was: SecRule ARGS "@detectSQLi /path/to/fingerprints.txt" Maybe it does actually work like that and I am missing something. Regards Bob On 12 October 2017 at 13:39, Bob Jolliffe <bobjolli...@gmail.com> wrote: > Hi > > I am not very experienced with owcrs so please bear with me if I say > silly things. > > I have a problem that rule 942100 (libinjection) is getting falsely > triggered in response to a legitimate api call on our application. In > particular the the offending URL is: > > GET > /dhis/api/26/dimensions.json?fields=id,displayName~rename(name),dimensionType&paging=false > > Which triggers 942100 with a fingerprint of 'nok(n'. > > I don't really want to disable the whole rule as I am sure > libinjection is valuable and it seems it is just this nok thing which > is tripping. I also will not easily get developers to change the api > in a hurry. Does anybody know is there a way to keep 942100 but just > disable responding to this particular fingerprint? > > Bonus question: can anybody tell me what it is exactly in the URL > which is upsetting libinjection? I am suspecting it has to do with > 'rename(name)' > > Regards > Bob _______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
