5

We are getting a lot of False Positives from using 3rd part software on our server. They themselves can't seem to fix it and I'm trying to work out how to allow cookies through that contain "CERTAINSTRING_"

Below is an example of one of the bans. They are all the same rule id

www.mysite.com  27.33.154.111   981231  [15/Dec/2013:12:14:36 +1100]

Pattern match: \
"(/\\*!?|\\*/|[';]--|--[\\s\\r\\n\\v\\f]|(?:--[^-]*?-)|([^\\-&])#.*?[\\s\\r\\n\\v\\f]|;?\\x00)" \
at REQUEST_COOKIES: _CERTAINSTRING. \
[file "/usr/local/apache/conf/modsecurity_crs_41_sql_injection_attacks.conf"] \
[line "49"] \
[id "981231"] \
[rev "2"] \
[msg "SQL Comment Sequence Detected."] \
[data "Matched Data: 1#"
      "description::325,1091,/file-path/file-name/999/1,http://www.mysite.com/file-path/file-name/999/1#"
      "rev found within REQUEST_COOKIES:_CERTAINSTRING: 240,1091,/file-path/file-name/999/1,http://www.mysite.com/file-path/file-name/999/1#"
      "description::325,1091,/file-path/file-name/999/1,http://www.mysite…”] \
[severity "CRITICAL"] \
[ver "OWASP_CRS/2.2.8"] \
[maturity "8"] \
[accuracy "8"] \
[tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] \
[tag "WASCTC/WASC-19"] \
[tag "OWASP_TOP_10/A1"]
MikeyB
  • 38,725
  • 10
  • 102
  • 186
starchild
  • 97
  • 1
  • 5
  • 1
    Oh. My. God. Before vomiting what looks like the output of an errant lineprinter into the "Ask Question" box, please take a moment to explain the problem to the [Rubber Duck](http://en.wikipedia.org/wiki/Rubber_duck_debugging) the nature of the exact problem you are trying to solve, and reduce the problem scope down to a single manageable question. Thanks. – MikeyB Dec 18 '13 at 02:26
  • What is your question? – Andrew Schulman Dec 18 '13 at 02:47
  • 1
    @AndrewSchulman: If you had ever worked with mod_security you'd know ... – user9517 Dec 18 '13 at 08:20
  • 1
    @MikeyB the question was there. We are gettig false positives and I wanted to whitelist the thing that was causing them. Wht's so duifficult to understand about that? Why be such a high and mighty fwit about it? iain seemed to know exactly what i was talking about and gave me the working answer within about 5 mins of me posting. No attitude, just the help I was seeking. Don't be such a dck. – starchild Dec 19 '13 at 02:38

1 Answers1

6

You can use SecRuleUpdateTargetById to modify the rule 

SecRuleUpdateTargetById 981231 !REQUEST_COOKIES:/^ _CERTAINSTRING/

Which would disable the rule that is causing you pain for request cookies whose name begins with _CERTAINSTRING.

Update:

The rule above needs to be placed after the rule to which it refers is defined. This is normally done by creating a file that is read after all of the CRS rules e.g. based on the location referenced in your audit log message

/usr/local/apache/conf/modsecurity_crs_61_customrules.conf

user9517
  • 114,104
  • 20
  • 206
  • 289