[Owasp-modsecurity-core-rule-set] disable one rule

Ryan Barnett rcbarnett at gmail.com
Sun Aug 23 09:30:48 EDT 2009


On Sunday 23 August 2009 04:23:29 am Christian Klossek wrote:
> Hello,
>
> for one php-file I need to disable the rule "Possible HTTP Parameter
> Pollution Attack: Multiple Parameters with the same Name."
> (modsecurity_crs_40_generic_attacks.conf).
>
> Example: http://localhost/example.php?test=abcde&test=abcde
>
> That url should be legal. And I don't want to change the core rules
> directly. Is there a possibility to create a special rule for that url
> and that parameter in my "modsecurity_crs_15_custom_config.conf"?
>

This particular rule should have a rule ID but it seems to be missing.  This 
is a bug and will be fixed.  Even without a rule ID, you can still add a rule 
to the modsecurity_crs_48_local_exceptions.conf file to address this issue.  
See the last example if the file as it seems similar to your issue where you 
want to add an exception based on a URL.  Here is an example rule -

SecRule REQUEST_FILENAME "@streq /example.php" 
"chain,phase:2,t:none,nolog,pass"
       SecRule TX:'/-WEB_ATTACK/COMMAND_INJECTION-TX:arg_name_test/' "@streq 
2" "chain,t:none"
               SecRule MATCHED_VAR_NAME "TX\:(.*)" "capture,t:none,setvar:!tx.
%{tx.1},setvar:tx.anomaly_score=-20"

--
Ryan C. Barnett
WASC Distributed Open Proxy Honeypot Project Leader
OWASP ModSecurity Core Rule Set Project Leader
Tactical Web Application Security
http://tacticalwebappsec.blogspot.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-modsecurity-core-rule-set/attachments/20090823/d71d4500/attachment.html 


More information about the Owasp-modsecurity-core-rule-set mailing list