[Owasp-modsecurity-core-rule-set] rule bypass

Ivan Ristic ivan.ristic at gmail.com
Sat Jan 16 17:34:59 EST 2010

Hi Chris,

On Sat, Jan 16, 2010 at 10:02 PM, Chris Datfung <chris.datfung at gmail.com> wrote:
> I get the following message in section H of a false positive event:
> Message: Pattern match "['";=]" at FILES:cvFilename. [file
> "/opt/modsecurity/etc/crs/base_rules/modsecurity_crs_20_protocol_violations.conf"]
> [line "51"] [msg "Attempted multipart/form-data bypass"] [severity
> That rule does not have a rule id. How do I whitelist this?

If there's no ID you can always try to use SecRuleRemoveByMsg before
you resort to the direct file modification. Ryan, the author of CRS,
may have a better answer.

Having said that, if you don't mind, can we see the original request
that triggered that rule (ideally the entire audit log file)?

> Also if I may be so rude, but for the benefit of others and myself, I have a
> hard time wrapping my brain around the new whitelisting method in the v2.*
> CRS, can you please explain the methodology?
> Thank you,
>  - Chris
> _______________________________________________
> Owasp-modsecurity-core-rule-set mailing list
> Owasp-modsecurity-core-rule-set at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set

Ivan Ristic
ModSecurity Handbook [https://www.feistyduck.com]
SSL Labs [https://www.ssllabs.com/ssldb/]

More information about the Owasp-modsecurity-core-rule-set mailing list