[Owasp-modsecurity-core-rule-set] rule bypass

Ivan Ristic ivan.ristic at gmail.com
Sat Jan 16 17:34:59 EST 2010


Hi Chris,


On Sat, Jan 16, 2010 at 10:02 PM, Chris Datfung <chris.datfung at gmail.com> wrote:
> I get the following message in section H of a false positive event:
>
> Message: Pattern match "['";=]" at FILES:cvFilename. [file
> "/opt/modsecurity/etc/crs/base_rules/modsecurity_crs_20_protocol_violations.conf"]
> [line "51"] [msg "Attempted multipart/form-data bypass"] [severity
> "CRITICAL"]
> That rule does not have a rule id. How do I whitelist this?

If there's no ID you can always try to use SecRuleRemoveByMsg before
you resort to the direct file modification. Ryan, the author of CRS,
may have a better answer.

Having said that, if you don't mind, can we see the original request
that triggered that rule (ideally the entire audit log file)?


> Also if I may be so rude, but for the benefit of others and myself, I have a
> hard time wrapping my brain around the new whitelisting method in the v2.*
> CRS, can you please explain the methodology?
> Thank you,
>  - Chris
>
>
>
> _______________________________________________
> Owasp-modsecurity-core-rule-set mailing list
> Owasp-modsecurity-core-rule-set at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
>
>

-- 
Ivan Ristic
ModSecurity Handbook [https://www.feistyduck.com]
SSL Labs [https://www.ssllabs.com/ssldb/]


More information about the Owasp-modsecurity-core-rule-set mailing list