I am white listing a tag and I am curious if there is a way to white list this and keep the logging to this at the same time.
SecRuleUpdateTargetByTag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION" !ARGS:/^fallout/
Would something like this work?
SecRuleUpdateTargetByTag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION","log","allow" !ARGS:/^fallout/
No that is only for updating the Target the rule is aimed at.
There is a SecRuleUpdateActionById command which allows you to make the SQL_INJECTION rules pass instead of block, but not for specific scenarios like you want here (i.e. only the ARGS/^fallout/ requests) and not ctl equivalent to allow you to chain this to achieve this :-(
You could remove your SecRuleUpdateTargetByTag customisation and instead turn the rule engine to Detection only for these requests:
SecRule ARGS /^fallout/ "phase:2,id:1000,ctl:ruleEngine=DetectionOnly"
However this would mean no phase:2 rules would be blocking for these URLs at all which leaves a gaping hole in your WAF.
One way that would work would be to add this to the modsecurity_crs_41_sql_injection_attacks.conf file at the beginning and reverse at the end to turn it back on again. This would work as the rules are processed in order they are loaded in config. However normally I don't like editing the actual CRS files as that makes upgrading difficult (very easy to overwrite updates like this).
Alternatively just log all ARGS fallout requests and examine them manually afterwards for SQL_INJECTION attempts:
SecRule ARGS /^fallout/ "phase:2,id:1001,log"
