Ryan Barnett | 1 Sep 21:03 2011

Re: How to override a gt score rule


On 9/1/11 2:56 PM, "Organic Spider" <webmaster <at> organicspider.co.uk> wrote:

>Is one right to assume the rule below triggers when say a '-' appears
>four or more times ? How can this be increased to say six by using an
>override as I do not see a variable to change?

We have added capabilities to externally update both the TARGET and ACTION
lists for rules (SecRuleUpdateTargetById and SecRuleUpdateActionByID) but
not for the OPERATOR argument.

For this type of issue, may have to edit the rule itself to increase the
regex repetition threshold to an appropriate limit.

One thing that we might look to update is to have different meta-chars
listed when inspected the REQUEST_FILENAME variable as - and _ don't
really cause any problems.

-Ryan

>--
>Thanks, OS
>----- Original Message -----
>
>From: "Organic Spider" <webmaster <at> organicspider.co.uk>
>To: mod-security-users <at> lists.sourceforge.net
>Sent: Thursday, 1 September, 2011 3:53:12 PM
>Subject: [mod-security-users] How to override a gt score rule
>
>Hello,
>
>I have the following rule being hit:
>
>[Thu Sep 01 10:50:00 2011] [error] [client 123.123.123.123] ModSecurity:
>Warning. Pattern match
>"([\\\\~\\\\!\\\\ <at> \\\\#\\\\$\\\\%\\\\^\\\\&\\\\*\\\\(\\\\)\\\\-\\\\+\\\\=\
>\\\{\\\\}\\\\[\\\\]\\\\|\\\\:\\\\;\\"\\\\'\\\\\\xc2\\xb4\\\\\\xe2\\x80\\x9
>9\\\\\\xe2\\x80\\x98\\\\`\\\\<\\\\>].*){4,}" at REQUEST_FILENAME. [file
>"/usr/local/httpd-2.2.19/modsecurity/rules/modsecurity_crs_41_sql_injectio
>n_attacks.conf"] [line "523"] [id "981173"] [rev "2.2.2"] [msg
>"Restricted SQL Character Anomaly Detection Alert - Total # of special
>characters exceeded"] [data "-oops/"] [hostname "www.somedomain.com"]
>[uri "/case-studies/text/this-is-a-long-path-oops/"] [unique_id
>"Tl <at> bmH8eCIcAAC3jAbwAAAAC"]
>
>What is the best way to override it without having to completely disable
>it ? I assume there is a way to increase the  <at> gt score without modifying
>the rule directly ?
>
>--------------------------------------------------------------------------
>----
>Special Offer -- Download ArcSight Logger for FREE!
>Finally, a world-class log management solution at an even better
>price-free! And you'll get a free "Love Thy Logs" t-shirt when you
>download Logger. Secure your free ArcSight Logger TODAY!
>http://p.sf.net/sfu/arcsisghtdev2dev
>_______________________________________________
>mod-security-users mailing list
>mod-security-users <at> lists.sourceforge.net
>https://lists.sourceforge.net/lists/listinfo/mod-security-users
>ModSecurity Services from Trustwave's SpiderLabs:
>https://www.trustwave.com/application-security.php
>

This transmission may contain information that is privileged, confidential, and/or exempt from
disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any
disclosure, copying, distribution, or use of the information contained herein (including any reliance
thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately
contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.

------------------------------------------------------------------------------
Special Offer -- Download ArcSight Logger for FREE!
Finally, a world-class log management solution at an even better 
price-free! And you'll get a free "Love Thy Logs" t-shirt when you
download Logger. Secure your free ArcSight Logger TODAY!
http://p.sf.net/sfu/arcsisghtdev2dev
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
ModSecurity Services from Trustwave's SpiderLabs:
https://www.trustwave.com/application-security.php


Gmane