The ctl action should be ruleRemoveTargetById. Sorry for the typo. So the final rule should be:
SecRule REQUEST_URI "@beginsWith /dhis/api/26/dimensions.json" "id:10000,phase:1,pass,nolog,ctl:ruleRemoveTargetById=942100" Regards Waqas Ali ________________________________________ From: Waqas Ali Khan (47247) Sent: Thursday, October 12, 2017 6:56 PM To: owasp-modsecurity-core-rule-set@lists.owasp.org Subject: Re: [Owasp-modsecurity-core-rule-set] Possibility of fine tuning libinjection results Hi Bob To determine what exactly is triggering the rule, you can view the error logs that are created in response to the detected rule. Data matched variable is going to show exactly what is being detected as a threat. You can disable the mentioned rule just for this particular URI like: SecRule REQUEST_URI "@beginsWith /dhis/api/26/dimensions.json" "id:10000,phase:1,pass,nolog,ctl:ruleRemoveById=942100" You will have to include the above rule before the rule file 942100. Regards Waqas Ali ---------------------------------------------------------------------- Message: 1 Date: Thu, 12 Oct 2017 13:39:53 +0200 From: Bob Jolliffe <bobjolli...@gmail.com> To: owasp-modsecurity-core-rule-set@lists.owasp.org Subject: [Owasp-modsecurity-core-rule-set] Possibility of fine tuning libinjection results Message-ID: <CACd=f9ehJ9t24UG9fJch=__59q4rkb4jtubbzc2v_dmr5vu...@mail.gmail.com> Content-Type: text/plain; charset="UTF-8" Hi I am not very experienced with owcrs so please bear with me if I say silly things. I have a problem that rule 942100 (libinjection) is getting falsely triggered in response to a legitimate api call on our application. In particular the the offending URL is: GET /dhis/api/26/dimensions.json?fields=id,displayName~rename(name),dimensionType&paging=false Which triggers 942100 with a fingerprint of 'nok(n'. I don't really want to disable the whole rule as I am sure libinjection is valuable and it seems it is just this nok thing which is tripping. I also will not easily get developers to change the api in a hurry. Does anybody know is there a way to keep 942100 but just disable responding to this particular fingerprint? Bonus question: can anybody tell me what it is exactly in the URL which is upsetting libinjection? I am suspecting it has to do with 'rename(name)' Regards Bob ------------------------------ _______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set