Home
Reading
Searching
Subscribe
Sponsors
Statistics
Posting
Contact
Spam
Lists
Links
About
Hosting
Filtering
Features Download
Marketing
Archives
FAQ
Blog
 
Gmane
From: Ryan Barnett <RBarnett <at> trustwave.com>
Subject: Re: How to override a gt score rule
Newsgroups: gmane.comp.apache.mod-security.user
Date: Thursday 1st September 2011 19:03:55 UTC (over 5 years ago)
On 9/1/11 2:56 PM, "Organic Spider" <[email protected]> wrote:

>Is one right to assume the rule below triggers when say a '-' appears
>four or more times ? How can this be increased to say six by using an
>override as I do not see a variable to change?

We have added capabilities to externally update both the TARGET and ACTION
lists for rules (SecRuleUpdateTargetById and SecRuleUpdateActionByID) but
not for the OPERATOR argument.

For this type of issue, may have to edit the rule itself to increase the
regex repetition threshold to an appropriate limit.

One thing that we might look to update is to have different meta-chars
listed when inspected the REQUEST_FILENAME variable as - and _ don't
really cause any problems.

-Ryan


>--
>Thanks, OS
>----- Original Message -----
>
>From: "Organic Spider" <[email protected]>
>To: [email protected]
>Sent: Thursday, 1 September, 2011 3:53:12 PM
>Subject: [mod-security-users] How to override a gt score rule
>
>Hello,
>
>I have the following rule being hit:
>
>[Thu Sep 01 10:50:00 2011] [error] [client 123.123.123.123] ModSecurity:
>Warning. Pattern match
>"([\\\\~\\\\!\\\\@\\\\#\\\\$\\\\%\\\\^\\\\&\\\\*\\\\(\\\\)\\\\-\\\\+\\\\=\
>\\\{\\\\}\\\\[\\\\]\\\\|\\\\:\\\\;\\"\\\\'\\\\\\xc2\\xb4\\\\\\xe2\\x80\\x9
>9\\\\\\xe2\\x80\\x98\\\\`\\\\<\\\\>].*){4,}" at REQUEST_FILENAME. [file
>"/usr/local/httpd-2.2.19/modsecurity/rules/modsecurity_crs_41_sql_injectio
>n_attacks.conf"] [line "523"] [id "981173"] [rev "2.2.2"] [msg
>"Restricted SQL Character Anomaly Detection Alert - Total # of special
>characters exceeded"] [data "-oops/"] [hostname "www.somedomain.com"]
>[uri "/case-studies/text/this-is-a-long-path-oops/"] [unique_id
>"[email protected]"]
>
>What is the best way to override it without having to completely disable
>it ? I assume there is a way to increase the @gt score without modifying
>the rule directly ?
>
>--------------------------------------------------------------------------
>----
>Special Offer -- Download ArcSight Logger for FREE!
>Finally, a world-class log management solution at an even better
>price-free! And you'll get a free "Love Thy Logs" t-shirt when you
>download Logger. Secure your free ArcSight Logger TODAY!
>http://p.sf.net/sfu/arcsisghtdev2dev
>_______________________________________________
>mod-security-users mailing list
>[email protected]
>https://lists.sourceforge.net/lists/listinfo/mod-security-users
>ModSecurity Services from Trustwave's SpiderLabs:
>https://www.trustwave.com/application-security.php
>


This transmission may contain information that is privileged, confidential,
and/or exempt from disclosure under applicable law. If you are not the
intended recipient, you are hereby notified that any disclosure, copying,
distribution, or use of the information contained herein (including any
reliance thereon) is STRICTLY PROHIBITED. If you received this transmission
in error, please immediately contact the sender and destroy the material in
its entirety, whether in electronic or hard copy format.


------------------------------------------------------------------------------
Special Offer -- Download ArcSight Logger for FREE!
Finally, a world-class log management solution at an even better 
price-free! And you'll get a free "Love Thy Logs" t-shirt when you
download Logger. Secure your free ArcSight Logger TODAY!
http://p.sf.net/sfu/arcsisghtdev2dev
_______________________________________________
mod-security-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/mod-security-users
ModSecurity Services from Trustwave's SpiderLabs:
https://www.trustwave.com/application-security.php
 
CD: 3ms