0

I am trying to disable rule 942100 (an SQLi rule) when certain values are present in the URI, but apache won't start so something is wrong.

My attempt (in REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf):

SecRule ARGS "@rx (m[inax]{2}[_\w]+)\-{3}[ade]{1,2}sc" \
    "id:942100,\
    phase:2,\
    pass,\
    nolog,noauditlog,\
    ctl:ruleRemoveById=942100"

The idea is so that URI values such as "min_width---asc" and "max_height_or_width---desc" for example are not flagged by ModSec. I need to remove these false positives but it's not working.

Yes Barry
  • 170
  • 1
  • 16

1 Answers1

2

I think you can't remove the rule itself. As you can see, the id of your rule is equal what you want to remove.

If you see the original rule here, you can see, there is a unique id (1001). Why don't you modify the operator and arguments, and remove the comment?

Eg.:

SecRule ARGS "@rx (m[inax]{2}[_\w]+)\-{3}[ade]{1,2}sc" \
     "id:1001,\
     phase:1,\
     pass,\
     nolog,\
     ctl:ruleRemoveTargetById=942100"

Or you do that with a new, unique id (replace the 1001 with another unique value).

airween
  • 195
  • 1
  • 1
  • 8
  • Touche. XD I will try this immediately. (Tbh I've been doing a lot of guesswork with all this, it's pretty dense for newcomers) – Yes Barry Apr 27 '19 at 14:02
  • Yep, apache at least started. Now I will play the waiting game and keep an eye on the logs to see if everything including my regex was a success. Thanks! – Yes Barry Apr 27 '19 at 14:11
  • Cool, you're welcome :) – airween Apr 27 '19 at 20:13
  • It appears those particular requests stopped appearing in the logs during the past couple weeks. So I'll call that a success. – Yes Barry May 17 '19 at 19:12