"@verifyCC" is provided by modsecurity for detecting credit card pattern.
SecRule ARGS @verifyCC phase:5,nolog,pass,\ sanitiseMatched this might addressed your issue. http://thinksabin.blogspot.com/2014/01/hiding-sensitive-data-in-apache.html Regards, On Wed, Jun 3, 2015 at 8:19 PM, Thayyilekandy, Subin : Barclaycard US < sthayyile...@barclaycardus.com> wrote: > Did you try sanitizeArgs in your custom rules After file ? you can aso > specify pattern here I believe otherwise you will have to keep adding > new/updated fields here that can possibly have sensitive data. > > > > SecAction "phase:5,id:200,nolog,pass,\ > > sanitiseArg:password,\ > > sanitiseArg:confirmPassword,\ > > > > > > > > Thanks > > > > *Subin * > > > > *From:* owasp-modsecurity-core-rule-set-boun...@lists.owasp.org [mailto: > owasp-modsecurity-core-rule-set-boun...@lists.owasp.org] *On Behalf Of > *Charles > Farinella > *Sent:* Wednesday, June 03, 2015 10:22 AM > *To:* Joshua Roback > *Cc:* owasp-modsecurity-core-rule-set@lists.owasp.org > *Subject:* Re: [Owasp-modsecurity-core-rule-set] How to prevent request > body logging? > > > > Thanks for the suggestions, but I don't think either of these will solve > our problem permanently. > > The 'nolog' option is rule or status code dependent and we want to make > sure that *no* request bodies are ever printed to the Nginx log. > > The 'SecAuditLogParts' option seems to only affect what gets sent to the > audit logs, we've tried this. Mod_security docs say that "Messages at > levels 1-3 are *always* copied to the Apache error log." We are assuming > that this applies equally to Nginx logs, and this is what we need to > address. > > We have clients sending credit card numbers in request bodies and they are > triggering mod_security SQL injection rules which then write these bodies > to the Nginx logs exposing the CC number. > > We know that we can disable these specific rules, but are afraid that at > some future time, or after an upgrade, these or some other rules will be > triggered again exposing sensitive information. > > Does OWASP have a "best practices" procedure for protecting this kind of > data in a PCI environment? > > How can we prevent *all* level 1-3 messages from being sent to the Nginx > log? > > > > Thanks again for your help. > > --charlie > > > > On Tue, Jun 2, 2015 at 4:08 PM, Joshua Roback <jrob...@gmail.com> wrote: > > Inside your base modsecurity.conf file, I believe the following directive > will allow you to choose which pars are logged based on the assigned letter > values. > Example below will remove REQUEST and RESPONSE body: > SecAuditLogParts ABIFEHZ > > > > On Tue, Jun 2, 2015 at 11:39 AM Chaim Sanders <csand...@trustwave.com> > wrote: > > Hey Charles, > > You can use the nolog action to prevent ModSecurity from adding entries. > For instance: > > SecRule ARGS:test "Test" "block,status:403,nolog,id:1" > > > > > > *Chaim Sanders * > > Security Researcher, SpiderLabs > > > > *Trustwave* | SMART SECURITY ON DEMAND > > www.trustwave.com > > > > *From:* owasp-modsecurity-core-rule-set-boun...@lists.owasp.org [mailto: > owasp-modsecurity-core-rule-set-boun...@lists.owasp.org] *On Behalf Of > *Charles > Farinella > *Sent:* Tuesday, June 2, 2015 10:38 AM > *To:* owasp-modsecurity-core-rule-set@lists.owasp.org > *Subject:* [Owasp-modsecurity-core-rule-set] How to prevent request body > logging? > > > > We are seeing request bodies logged to our nginx logs. mod_security > documentation says that "Messages at levels 1-3 are always copied to the > Apache error log." Does anyone know how we can prevent this behavior? > > -- > > Charles Farinella > > Systems Administrator > > Appropriate Solutions, Inc. > > 603-924-6079 > > > ------------------------------ > > > This transmission may contain information that is privileged, > confidential, and/or exempt from disclosure under applicable law. If you > are not the intended recipient, you are hereby notified that any > disclosure, copying, distribution, or use of the information contained > herein (including any reliance thereon) is strictly prohibited. If you > received this transmission in error, please immediately contact the sender > and destroy the material in its entirety, whether in electronic or hard > copy format. > > _______________________________________________ > Owasp-modsecurity-core-rule-set mailing list > Owasp-modsecurity-core-rule-set@lists.owasp.org > https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set > > > > > -- > > Charles Farinella > > Systems Administrator > > Appropriate Solutions, Inc. > > 603-924-6079 > > Barclaycard > > www.barclaycardus.com > > This email and any files transmitted with it may contain confidential > and/or proprietary information. It is intended solely for the use of the > individual or entity who is the intended recipient. Unauthorized use of > this information is prohibited. If you have received this in error, please > contact the sender by replying to this message and delete this material > from any system it may be on. > > _______________________________________________ > Owasp-modsecurity-core-rule-set mailing list > Owasp-modsecurity-core-rule-set@lists.owasp.org > https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set > >
_______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set