[Owasp-modsecurity-core-rule-set] ruleRemoveByTag dont work

Cristiano Galdino cristiano.galdino at gmail.com
Tue Aug 2 16:16:32 UTC 2016


Hi there,

This is my modsecurity_crs_15_local_exceptions file, but dont skip the TAGs
on rule. Why?

SecRule REQUEST_FILENAME "@beginsWith /path" \
"id:1500,phase:2,nolog,noauditlog,t:none,t:lowercase,pass, \
ctl:ruleRemoveById=960024, \
ctl:ruleRemoveById=981173, \
ctl:ruleRemoveById=960915, \
ctl:ruleRemoveById=200003, \
ctl:ruleRemoveByTag='OWASP_CRS/WEB_ATTACK/XSS';ARGS:Detalhamento, \
ctl:ruleRemoveByTag='OWASP_CRS/WEB_ATTACK/SQL_INJECTION';ARGS:Detalhamento,
\
ctl:ruleRemoveByTag='OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION';ARGS:Detalhamento,
\
ctl:ruleRemoveByTag='OWASP_CRS/WEB_ATTACK/XSS';ARGS:comentario, \
ctl:ruleRemoveByTag='*OWASP_CRS/WEB_ATTACK/SQL_INJECTION*';ARGS:*comentario*,
\
ctl:ruleRemoveByTag='OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION';ARGS:comentario,
\
ctl:ruleRemoveByTag='OWASP_CRS/WEB_ATTACK/XSS';ARGS:texto, \
ctl:ruleRemoveByTag='OWASP_CRS/WEB_ATTACK/SQL_INJECTION';ARGS:texto, \
ctl:ruleRemoveByTag='OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION';ARGS:texto"



Sample message:

Message: Pattern match
"(/\\*!?|\\*/|[';]--|--[\\s\\r\\n\\v\\f]|(?:--[^-]*?-)|([^\\-&])#.*?[\\s\\r\\n\\v\\f]|;?\\x00)"
at ARGS:*comentario*. [file
"/usr/local/apache2/conf/mod_security/owasp/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"]
[line "49"] [id "981231"] [rev "2"] [msg "SQL Comment Sequence Detected."]
[data "Matched Data:  #\x0d found within ARGS:comentario: # Poss\xedvel
fraude descoberta pela PREVEN\xc7\xc3O #\x0d\x0a\x0d\x0aEm contato com
associado, o mesmo desconhece as seguintes
transa\xe7\xf5es:\x0d\x0a\x0d\x0a# Transa\xe7\xf5es
aprovadas:\x0d\x0a01/08/2016 22:05:58\x0923,19D\x09APROVADA\x09COMPRA CARD\
x09SITE.COM.BR SAO PAULO BRA\x0d\x0a01/08/2016
21:57:23\x0913,15C\x09APROVADA\x09COMPRA CARD\x09NET FARMA CARAPICUIBA
BRA\x0d\x0a01/08/2016 19:31:41\x0913,15D\x09APROVADA\x09COMPRA CA..."]
[severity "CRITICAL"] [ver "OWASP_CRS/2.2.8"] [maturity "8"] [accuracy "8"]
[tag "*OWASP_CRS/WEB_ATTACK/SQL_INJECTION*"] [tag "WASCTC/WASC-19"] [tag
"OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"] [tag "PCI/6.5.2"]

-- 
Cristiano Galdino - cristiano at galdino.net
http://cristiano.galdino.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-modsecurity-core-rule-set/attachments/20160802/4fa5c4ad/attachment.html>


More information about the Owasp-modsecurity-core-rule-set mailing list