Question: How can I make an exception for a rule with a specific Id?
Opened this issue · 5 comments
Question: How can I make an exception for a rule with a specific Id?
I know that ctl:ruleRemoveTargetById is used for this.
I want to create an exception to the default owasp-crs rule
But my rule exception looks like this:
SecRule REQUEST_URI "@beginsWith /rest/user/login" "id:1,phase:1,pass,\
log,ctl:ruleRemoveTargetById=949110;ARGS:json.qwerty.comment"
and, this not work :(
In the error.log and modsec_audit.log, I see that the request from the ruleset REQUEST-949-BLOCKING-EVALUATION.conf with the ID 949110 is blocked.
What am I doing wrong?
UPD:
Could it be that this is happening because of the summation of the anomaly score?
modesec_audit:
ModSecurity: Warning. Matched "Operator `BeginsWith' with parameter `/rest/user/login' against variable `REQUEST_URI' (Value: `/rest/user/login' ) [file "/usr/share/modsecurity/custom_rules/IP_deny.conf"] [line "4"] [id "1"] [rev ""] [msg ""] [data ""] [severity "0"] [ver ""] [maturity "0"] [accuracy "0"] [hostname "192.168.1.71"] [uri "/rest/user/login"] [unique_id "176232823339.923895"] [ref "o0,16v5,16"]
ModSecurity: Warning. detected SQLi using libinjection. [file "/usr/share/modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "46"] [id "942100"] [rev ""] [msg "SQL Injection Attack Detected via libinjection"] [data "Matched Data: s&1c found within ARGS:json.qwerty.comment: ' or 1 = 1 -- -"] [severity "2"] [ver "OWASP_CRS/3.3.7"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-sqli"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/66"] [tag "PCI/6.5.2"] [hostname "192.168.1.71"] [uri "/rest/user/login"] [unique_id "176232823339.923895"] [ref "v20,15"]
ModSecurity: Warning. Matched "Operator `Rx' with parameter `(?:^\s*[\"'`;]+|[\"'`]+\s*$)' against variable `ARGS:json.qwerty.comment' (Value: `' or 1 = 1 -- -' ) [file "/usr/share/modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "500"] [id "942110"] [rev ""] [msg "SQL Injection Attack: Common Injection Testing Detected"] [data "Matched Data: ' found within ARGS:json.qwerty.comment: ' or 1 = 1 -- -"] [severity "4"] [ver "OWASP_CRS/3.3.7"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-sqli"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/66"] [tag "PCI/6.5.2"] [tag "paranoia-level/2"] [hostname "192.168.1.71"] [uri "/rest/user/login"] [unique_id "176232823339.923895"] [ref "o0,1v20,15t:utf8toUnicode,t:urlDecodeUni"]
ModSecurity: Warning. Matched "Operator `Rx' with parameter `(?i:[\s'\"`()]*?\b([\d\w]+)\b[\s'\"`()]*?(?:<(?:=(?:[\s'\"`()]*?(?!\b\1\b)[\d\w]+|>[\s'\"`()]*?(?:\b\1\b))|>?[\s'\"`()]*?(?!\b\1\b)[\d\w]+)|(?:not\s+(?:regexp|like)|is\s+not|>=?|!=|\^)[\s'\"`()]*?(?!\ (78 characters omitted)' against variable `ARGS:json.qwerty.comment' (Value: `' or 1 = 1 -- -' ) [file "/usr/share/modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "571"] [id "942130"] [rev ""] [msg "SQL Injection Attack: SQL Tautology Detected"] [data "Matched Data: 1 = 1 found within ARGS:json.qwerty.comment: ' or 1 = 1 -- -"] [severity "2"] [ver "OWASP_CRS/3.3.7"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-sqli"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/66"] [tag "PCI/6.5.2"] [tag "paranoia-level/2"] [hostname "192.168.1.71"] [uri "/rest/user/login"] [unique_id "176232823339.923895"] [ref "o4,6o5,1v20,15"]
ModSecurity: Warning. Matched "Operator `Rx' with parameter `(?i:[\"'`](?:\s*?(?:(?:between|x?or|and|div)[\w\s-]+\s*?[+<>=(),-]\s*?[\d\"'`]|like(?:[\w\s-]+\s*?[+<>=(),-]\s*?[\d\"'`]|\W+[\w\"'`(])|[!=|](?:[\d\s!=+-]+.*?[\"'`(].*?|[\d\s!=]+.*?\d+)$|[^\w\s]?=\s*?[ (149 characters omitted)' against variable `ARGS:json.qwerty.comment' (Value: `' or 1 = 1 -- -' ) [file "/usr/share/modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "639"] [id "942180"] [rev ""] [msg "Detects basic SQL authentication bypass attempts 1/3"] [data "Matched Data: ' or 1 = 1 found within ARGS:json.qwerty.comment: ' or 1 = 1 -- -"] [severity "2"] [ver "OWASP_CRS/3.3.7"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-sqli"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/66"] [tag "PCI/6.5.2"] [tag "paranoia-level/2"] [hostname "192.168.1.71"] [uri "/rest/user/login"] [unique_id "176232823339.923895"] [ref "o0,10v20,15t:urlDecodeUni"]
ModSecurity: Warning. Matched "Operator `Rx' with parameter `(?i:(?:^(?:[\"'`\\\\]*?(?:[^\"'`]+[\"'`]|[\d\"'`]+)\s*?(?:n(?:and|ot)|(?:x?x)?or|between|\|\||like|and|div|&&)\s*?[\w\"'`][+&!@(),.-]|.?[\"'`]$)|\@(?:[\w-]+\s(?:between|like|x?or|and|div)\s*?[^\w\s]|\ (226 characters omitted)' against variable `ARGS:json.qwerty.comment' (Value: `' or 1 = 1 -- -' ) [file "/usr/share/modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "827"] [id "942330"] [rev ""] [msg "Detects classic SQL injection probings 1/3"] [data "Matched Data: ' or 1 found within ARGS:json.qwerty.comment: ' or 1 = 1 -- -"] [severity "2"] [ver "OWASP_CRS/3.3.7"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-sqli"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/66"] [tag "PCI/6.5.2"] [tag "paranoia-level/2"] [hostname "192.168.1.71"] [uri "/rest/user/login"] [unique_id "176232823339.923895"] [ref "o0,6v20,15t:urlDecodeUni"]
ModSecurity: Warning. Matched "Operator `Rx' with parameter `(?:\b(?:(?i:xor)\b\s+(?:'[^=]{1,10}'(?:\s*?[=<>])?|\d{1,10}(?:\s*?[=<>])?)|(?i:or)\b\s+(?:'[^=]{1,10}'(?:\s*?[=<>])?|\d{1,10}(?:\s*?[=<>])?))|(?i:\bor\b ?[\'\"][^=]{1,10}[\'\"] ?[=<>]+)|(?i:'\s+xor\s+ (79 characters omitted)' against variable `ARGS:json.qwerty.comment' (Value: `' or 1 = 1 -- -' ) [file "/usr/share/modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "970"] [id "942390"] [rev ""] [msg "SQL Injection Attack"] [data "Matched Data: ' or 1 = 1 -- - found within ARGS:json.qwerty.comment: ' or 1 = 1 -- -"] [severity "2"] [ver "OWASP_CRS/3.3.7"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-sqli"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/66"] [tag "PCI/6.5.2"] [tag "paranoia-level/2"] [hostname "192.168.1.71"] [uri "/rest/user/login"] [unique_id "176232823339.923895"] [ref "o0,15v20,15t:urlDecodeUni"]
ModSecurity: Warning. Matched "Operator `Rx' with parameter `(?:/\*!?|\*/|[';]--|--[\s\r\n\v\f]|--[^-]*?-|[^&-]#.*?[\s\r\n\v\f]|;?\\x00)' against variable `ARGS:json.qwerty.comment' (Value: `' or 1 = 1 -- -' ) [file "/usr/share/modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "1189"] [id "942440"] [rev ""] [msg "SQL Comment Sequence Detected"] [data "Matched Data: -- found within ARGS:json.qwerty.comment: ' or 1 = 1 -- -"] [severity "2"] [ver "OWASP_CRS/3.3.7"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-sqli"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/66"] [tag "PCI/6.5.2"] [tag "paranoia-level/2"] [hostname "192.168.1.71"] [uri "/rest/user/login"] [unique_id "176232823339.923895"] [ref "o11,3v20,15t:urlDecodeUni"]
ModSecurity: Access denied with code 403 (phase 2). Matched "Operator `Ge' with parameter `10' against variable `TX:ANOMALY_SCORE' (Value: `33' ) [file "/usr/share/modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "81"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 33)"] [data ""] [severity "2"] [ver "OWASP_CRS/3.3.7"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "192.168.1.71"] [uri "/rest/user/login"] [unique_id "176232823339.923895"] [ref ""]
Hi @1gm4,
I think that's a huge luck that this setup does not work for you.
Please never-ever block rule 949110 and similar anomaly score evaluation rule (if you use CRS with anomaly scoring mode).
If you exclude any of the anomaly score evaluation rule, your WAF will be able totally bypassed.
Beside of that, your exclusion rule syntax is right, but it does not work, because you want to exclude the rule's target with name ARGS:json.qwerty.comment - but 949110 does not check this target.
So, again: forget this rule exclusion.
You have to add exclusion(s) against rules where you see that the rule evaluated that target, and the reason was that target.
Eg.:
SecRule REQUEST_URI "@beginsWith /rest/user/login"
"id:1,\
phase:1,\
pass,\
t:none,\
ctl:ruleRemoveTargetById=942100;ARGS:json.qwerty.comment,\
ctl:ruleRemoveTargetById=942110;ARGS:json.qwerty.comment,\
ctl:ruleRemoveTargetById=942130;ARGS:json.qwerty.comment,\
ctl:ruleRemoveTargetById=942180;ARGS:json.qwerty.comment,\
ctl:ruleRemoveTargetById=942330;ARGS:json.qwerty.comment,\
ctl:ruleRemoveTargetById=942390;ARGS:json.qwerty.comment,\
ctl:ruleRemoveTargetById=942440;ARGS:json.qwerty.comment"
Note: you don't need log action here.
Also it's important that if you want to use this form of exclusion, then you need to put this rule before the all others.
For more information, please check CRS's documentation, especially the "configure time" and runtime" modes.
@airween
Thanks for your answer! <3
And, if it's not difficult for you, could you give me some advice?:
If I want to reduce the number of lines in order to optimize the work of MDS, I can specify the Id separated by commas or the parameter can accept only one Id?
If I want to reduce the number of lines in order to optimize the work of MDS, I can specify the Id separated by commas or the parameter can accept only one Id?
Sorry, I don't understand this sentence. Eg. what is the "MDS"?
@airween
MDS = ModSecurity
I meen for example:
SecRule REQUEST_URI "@beginswith /rest/user/login"
"id:1,
phase:1,
pass,
t:none,
ctl:ruleRemoveTargetById=942100,942110,942130,942180,942180,942330,942390,942440;ARGS:json.qwerty.comment"