mod_security on Apache 2.4: Can I disable all rules for a specific request element?

Question

I have an application served by Apache, on which mod_security is enabled, and I have been successfully tuning exceptions to avoid false positives using the likes of:

SecRuleUpdateTargetById 981260 !ARGS:'/^PD-.*/'

But now I am facing the case where a request argument carries a password, which could potentially contain every possible combination of characters that mod_security will flag as false positive. So my naive solution would be to disable all rules for that particular argument with something like:

SecRuleUpdateTargetById * !ARGS:'/^PD-.*/'

Is such a thing possible?

Barry Pollard · Accepted Answer · 2017-05-25T09:43:05.063

No that's not possible. Though it is possible to disable multiple rules at a time based on a tag id so all rules tagged with that tag are disabled, for example:

SecRuleUpdateTargetByTag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION" !ARGS:'/^PD-.*/'

If an argument potentially falls foul of several different tags of rules (e.g. SQL injection and XSS) then you will have to put in several SecRuleUpdateTargetByTag exceptions.

This also depends on tags being specified consistently in the rule set. They mostly are in the OWASP CRS but not sure about other ModSecurity rule sets.

See here for more details: https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#SecRuleUpdateTargetByTag

You can similarly use SecRuleUpdateTargetByMsg instead (https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#SecRuleUpdateTargetByMsg)

Thanks a lot @BazzaDP, this will definitely help achieving what I'm after. — NotSoOldNick, May 25 '17 at 01:13

mod_security on Apache 2.4: Can I disable all rules for a specific request element?

1 Answers1