Exclusion Rules for dynamic ARGS

[Stephan Fourie]

Hi everyone,

Hope someone can help me. I'm writing some exclusion rules due to false positive detections and I would like to write a rule based on a URI and ARGS. The problem in this case is that the ARGS are very dynamic. The ARGS in this case looks something like:  ARGS:something_here[14384][10a421907e5441c07d9b8e8ad84373cc]. The parts between both sets of brackets change or have a lot of variants.

The initial rule that I wrote was:

SecRule REQUEST_URI "@contains /someuri/" "id:1001,phase:2,nolog,pass,\
  ctl:ruleRemoveTargetById=932100;ARGS:/^something_here/"

I then discovered that ctl:ruleRemoveTargetById does not support regex. Is the only other option then to write the rule as follows?

SecRuleUpdateTargetById 932100 "!ARGS:/something_here.*/"

Is there a way to link the URI to the rule in order to limit the scope of the rule further?

Thanks!

Stephan

[Christian Folini]

Hello Stephan,

You are in a bad situation, but you are not the first one stuck with this
lack of regex support with the ctl rule exclusion commands.

Dynamic parameter names are the devil, that's for sure.

However, your solution based on the prefix of said variable names make it
a viable solution in my eyes, even if it no longer has a URI constraint.

Good luck!

Christian

> --
> You received this message because you are subscribed to the Google Groups "ModSecurity Core Rule Set project" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to modsecurity-core-rule-...@owasp.org.
> To view this discussion on the web visit https://groups.google.com/a/owasp.org/d/msgid/modsecurity-core-rule-set-project/da08303c-c750-49ec-a93c-fd7db6d0721c%40owasp.org.