Kirk, This is a tricky one. Actually your recipe should work. But then it does not. I dug a bit deeper and found out an issue.
SecRuleUpdateTargetByID 942000-942999 "ARGS:SearchTerm" adds the arg SearchTerm to all rules including steering commando rules used for Paranoia Levels. And this seems to f**k them up. At least this is my first impression. Could you try and apply the Update only to those rules that really apply and report back? There might be a deeper issue here, so let's try and work together to find a good recipe to solve your use case - which is actually a very useful one. Ahoj, Christian On Mon, Aug 14, 2017 at 10:03:15AM +1200, Kirk Jackson wrote: > Hi, > > I'd like to run the SQLi checks on only the one parameter on my site that > is vulnerable to those attacks. > > I was wondering if there's a pattern to do this, or if I need to copy the > rules from REQUEST-942-APPLICATION-ATTACK-SQLI.conf into my own file, and > change the variables to my ARGS:ParamName? > > I tried doing this, to disable the rules, and then re-enable for just my > param, but that didn't work: > > SecRuleUpdateTargetByID 942000-942999 "!REQUEST_COOKIES" > SecRuleUpdateTargetByID 942000-942999 "!REQUEST_COOKIES_NAMES" > SecRuleUpdateTargetByID 942000-942999 "!ARGS_NAMES" > SecRuleUpdateTargetByID 942000-942999 "!ARGS" > SecRuleUpdateTargetByID 942000-942999 "!XML" > > SecRuleUpdateTargetByID 942000-942999 "ARGS:SearchTerm" > > Many thanks! > > Kirk > _______________________________________________ > Owasp-modsecurity-core-rule-set mailing list > Owasp-modsecurity-core-rule-set@lists.owasp.org > https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set -- https://www.feistyduck.com/books/modsecurity-handbook/ mailto:christian.fol...@netnea.com twitter: @ChrFolini _______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
