[Owasp-modsecurity-core-rule-set] rule bypass
ivan.ristic at gmail.com
Sat Jan 16 17:34:59 EST 2010
On Sat, Jan 16, 2010 at 10:02 PM, Chris Datfung <chris.datfung at gmail.com> wrote:
> I get the following message in section H of a false positive event:
> Message: Pattern match "['";=]" at FILES:cvFilename. [file
> [line "51"] [msg "Attempted multipart/form-data bypass"] [severity
> That rule does not have a rule id. How do I whitelist this?
If there's no ID you can always try to use SecRuleRemoveByMsg before
you resort to the direct file modification. Ryan, the author of CRS,
may have a better answer.
Having said that, if you don't mind, can we see the original request
that triggered that rule (ideally the entire audit log file)?
> Also if I may be so rude, but for the benefit of others and myself, I have a
> hard time wrapping my brain around the new whitelisting method in the v2.*
> CRS, can you please explain the methodology?
> Thank you,
> - Chris
> Owasp-modsecurity-core-rule-set mailing list
> Owasp-modsecurity-core-rule-set at lists.owasp.org
ModSecurity Handbook [https://www.feistyduck.com]
SSL Labs [https://www.ssllabs.com/ssldb/]
More information about the Owasp-modsecurity-core-rule-set