Re: [Owasp-modsecurity-core-rule-set] mod_security_crs 2.2.9 modsecurity_crs_48_local_exceptions.conf question

Fri, 20 Oct 2017 03:49:46 -0700 

Hi to all

>
>
> just updated a Centos 7.4 to mod_security_crs 2.2.9 and mod_security
> 2.7.3-5. In the 
> /etc/httpd/modsecurity.d/activated_rules/modsecurity_crs_48_local_exceptions.conf
> file I have a rule like this that worked in earlier versions but no longer.
>
> Any idea ?
>
> Thank you very much
>
> SecRule TX:'/^981172.*/'             "@rx .*" "chain,phase:2,t:none,nolog,
> noauditlog,pass,msg:'WHITELISTING  %{rule.id}: Allowed false positive
> %{TX:0}',severity:'6',id:450010"
>
> SecRule REQUEST_COOKIES:'/^(Mycookie1|Mycookie2|Mycookie3|Mycookie4)/'
> "!^$"   "t:none,setvar:!tx.%{tx.1},setvar:tx.anomaly_score=-20"
>
>
>
> Log
>
>
>
> --9d781c6e-H--
>
> Message: Warning. Pattern match "([\\~\\!\\@\\#\\$\\%\\^\\&\\*
> \\(\\)\\-\\+\\=\\{\\}\\[\\]\\|\\:\\;\"\\'\\\xc2\xb4\\\xe2\
> x80\x99\\\xe2\x80\x98\\`\\<\\>].*?){8,}" at REQUEST_COOKIES:Mycookie1.
> [file "/etc/httpd/modsecurity.d/activated_rules/modsecurity_
> crs_41_sql_injection_attacks.conf"] [line "157"] [id "981172"] [rev "2"]
> [msg "Restricted SQL Character Anomaly Detection Alert - Total # of special
> characters exceeded"] [data "Matched Data: + found within
> REQUEST_COOKIES:Mycookie1: ve11n8OdWASErRyEZrw+29j8ihH2+
> RlST465bWRDDityPELrC/mXxSDAELEf1CSGT+knYFgt/3EWotqMvcFBiLlX0YDfDNxEnZ32pBz
> sp3B+45oPGeOc/lx16tGOY8Q+u1sfbcVEzHeNIpebO3DephHXQ3fz0v
> 66Qh2Qc5umtNSPP4p4pVd7C3gxxuspE4wWJlN7uF2iwVxkm+
> VN1W6wRt4USriw9aQQX0Csz1wKQdMlK5nv/S+uK+QBA7OdVsfOK7BXVrrXkLo7J9GS9oGY
> rnrkzNZ5rzOZRyllaqYRVV2pnm0qrdEq0Fiont4Z2+iHYEpnSuQRJpGi+mAL+
> FMnI1TNOlxIAzOgwV0ENaKXOgyQe3JVHStFc5cVVCptTtkL"] [ver "OWASP_CRS/2.2.9"]
> [maturity "9"] [accuracy "8"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"]
>
> Apache-Handler: proxy-server
>
> Stopwatch: 1508316101057039 22395601 (- - -)
>
> Stopwatch2: 1508316101057039 22395601; combined=49089, p1=638, p2=48093,
> p3=3, p4=98, p5=177, sr=141, sw=80, l=0, gc=0
>
> Response-Body-Transformed: Dechunked
>
> Producer: ModSecurity for Apache/2.7.3 (http://www.modsecurity.org/);
> OWASP_CRS/2.2.9.
>
> Server: Apache
>
> Engine-Mode: "ENABLED"
>

_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
Owasp-modsecurity-core-rule-set@lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set

Reply via email to