Question: How can I make an exception for a rule with a specific Id? #3460
Description
Question: How can I make an exception for a rule with a specific Id?
I know that ctl:ruleRemoveTargetById is used for this.
I want to create an exception to the default owasp-crs rule
But my rule exception looks like this:
SecRule REQUEST_URI "@beginsWith /rest/user/login" "id:1,phase:1,pass,\ log,ctl:ruleRemoveTargetById=949110;ARGS:json.qwerty.comment" and, this not work :(
In the error.log and modsec_audit.log, I see that the request from the ruleset REQUEST-949-BLOCKING-EVALUATION.conf with the ID 949110 is blocked.
What am I doing wrong?
UPD:
Could it be that this is happening because of the summation of the anomaly score?
modesec_audit:
ModSecurity: Warning. Matched "Operator `BeginsWith' with parameter `/rest/user/login' against variable `REQUEST_URI' (Value: `/rest/user/login' ) [file "/usr/share/modsecurity/custom_rules/IP_deny.conf"] [line "4"] [id "1"] [rev ""] [msg ""] [data ""] [severity "0"] [ver ""] [maturity "0"] [accuracy "0"] [hostname "192.168.1.71"] [uri "/rest/user/login"] [unique_id "176232823339.923895"] [ref "o0,16v5,16"]
ModSecurity: Warning. detected SQLi using libinjection. [file "/usr/share/modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "46"] [id "942100"] [rev ""] [msg "SQL Injection Attack Detected via libinjection"] [data "Matched Data: s&1c found within ARGS:json.qwerty.comment: ' or 1 = 1 -- -"] [severity "2"] [ver "OWASP_CRS/3.3.7"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-sqli"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/66"] [tag "PCI/6.5.2"] [hostname "192.168.1.71"] [uri "/rest/user/login"] [unique_id "176232823339.923895"] [ref "v20,15"]
ModSecurity: Warning. Matched "Operator `Rx' with parameter `(?:^\s*[\"'`;]+|[\"'`]+\s*$)' against variable `ARGS:json.qwerty.comment' (Value: `' or 1 = 1 -- -' ) [file "/usr/share/modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "500"] [id "942110"] [rev ""] [msg "SQL Injection Attack: Common Injection Testing Detected"] [data "Matched Data: ' found within ARGS:json.qwerty.comment: ' or 1 = 1 -- -"] [severity "4"] [ver "OWASP_CRS/3.3.7"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-sqli"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/66"] [tag "PCI/6.5.2"] [tag "paranoia-level/2"] [hostname "192.168.1.71"] [uri "/rest/user/login"] [unique_id "176232823339.923895"] [ref "o0,1v20,15t:utf8toUnicode,t:urlDecodeUni"]
ModSecurity: Warning. Matched "Operator `Rx' with parameter `(?i:[\s'\"`()]*?\b([\d\w]+)\b[\s'\"`()]*?(?:<(?:=(?:[\s'\"`()]*?(?!\b\1\b)[\d\w]+|>[\s'\"`()]*?(?:\b\1\b))|>?[\s'\"`()]*?(?!\b\1\b)[\d\w]+)|(?:not\s+(?:regexp|like)|is\s+not|>=?|!=|\^)[\s'\"`()]*?(?!\ (78 characters omitted)' against variable `ARGS:json.qwerty.comment' (Value: `' or 1 = 1 -- -' ) [file "/usr/share/modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "571"] [id "942130"] [rev ""] [msg "SQL Injection Attack: SQL Tautology Detected"] [data "Matched Data: 1 = 1 found within ARGS:json.qwerty.comment: ' or 1 = 1 -- -"] [severity "2"] [ver "OWASP_CRS/3.3.7"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-sqli"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/66"] [tag "PCI/6.5.2"] [tag "paranoia-level/2"] [hostname "192.168.1.71"] [uri "/rest/user/login"] [unique_id "176232823339.923895"] [ref "o4,6o5,1v20,15"]
ModSecurity: Warning. Matched "Operator `Rx' with parameter `(?i:[\"'`](?:\s*?(?:(?:between|x?or|and|div)[\w\s-]+\s*?[+<>=(),-]\s*?[\d\"'`]|like(?:[\w\s-]+\s*?[+<>=(),-]\s*?[\d\"'`]|\W+[\w\"'`(])|[!=|](?:[\d\s!=+-]+.*?[\"'`(].*?|[\d\s!=]+.*?\d+)$|[^\w\s]?=\s*?[ (149 characters omitted)' against variable `ARGS:json.qwerty.comment' (Value: `' or 1 = 1 -- -' ) [file "/usr/share/modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "639"] [id "942180"] [rev ""] [msg "Detects basic SQL authentication bypass attempts 1/3"] [data "Matched Data: ' or 1 = 1 found within ARGS:json.qwerty.comment: ' or 1 = 1 -- -"] [severity "2"] [ver "OWASP_CRS/3.3.7"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-sqli"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/66"] [tag "PCI/6.5.2"] [tag "paranoia-level/2"] [hostname "192.168.1.71"] [uri "/rest/user/login"] [unique_id "176232823339.923895"] [ref "o0,10v20,15t:urlDecodeUni"]
ModSecurity: Warning. Matched "Operator `Rx' with parameter `(?i:(?:^(?:[\"'`\\\\]*?(?:[^\"'`]+[\"'`]|[\d\"'`]+)\s*?(?:n(?:and|ot)|(?:x?x)?or|between|\|\||like|and|div|&&)\s*?[\w\"'`][+&!@(),.-]|.?[\"'`]$)|\@(?:[\w-]+\s(?:between|like|x?or|and|div)\s*?[^\w\s]|\ (226 characters omitted)' against variable `ARGS:json.qwerty.comment' (Value: `' or 1 = 1 -- -' ) [file "/usr/share/modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "827"] [id "942330"] [rev ""] [msg "Detects classic SQL injection probings 1/3"] [data "Matched Data: ' or 1 found within ARGS:json.qwerty.comment: ' or 1 = 1 -- -"] [severity "2"] [ver "OWASP_CRS/3.3.7"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-sqli"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/66"] [tag "PCI/6.5.2"] [tag "paranoia-level/2"] [hostname "192.168.1.71"] [uri "/rest/user/login"] [unique_id "176232823339.923895"] [ref "o0,6v20,15t:urlDecodeUni"]
ModSecurity: Warning. Matched "Operator `Rx' with parameter `(?:\b(?:(?i:xor)\b\s+(?:'[^=]{1,10}'(?:\s*?[=<>])?|\d{1,10}(?:\s*?[=<>])?)|(?i:or)\b\s+(?:'[^=]{1,10}'(?:\s*?[=<>])?|\d{1,10}(?:\s*?[=<>])?))|(?i:\bor\b ?[\'\"][^=]{1,10}[\'\"] ?[=<>]+)|(?i:'\s+xor\s+ (79 characters omitted)' against variable `ARGS:json.qwerty.comment' (Value: `' or 1 = 1 -- -' ) [file "/usr/share/modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "970"] [id "942390"] [rev ""] [msg "SQL Injection Attack"] [data "Matched Data: ' or 1 = 1 -- - found within ARGS:json.qwerty.comment: ' or 1 = 1 -- -"] [severity "2"] [ver "OWASP_CRS/3.3.7"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-sqli"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/66"] [tag "PCI/6.5.2"] [tag "paranoia-level/2"] [hostname "192.168.1.71"] [uri "/rest/user/login"] [unique_id "176232823339.923895"] [ref "o0,15v20,15t:urlDecodeUni"]
ModSecurity: Warning. Matched "Operator `Rx' with parameter `(?:/\*!?|\*/|[';]--|--[\s\r\n\v\f]|--[^-]*?-|[^&-]#.*?[\s\r\n\v\f]|;?\\x00)' against variable `ARGS:json.qwerty.comment' (Value: `' or 1 = 1 -- -' ) [file "/usr/share/modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "1189"] [id "942440"] [rev ""] [msg "SQL Comment Sequence Detected"] [data "Matched Data: -- found within ARGS:json.qwerty.comment: ' or 1 = 1 -- -"] [severity "2"] [ver "OWASP_CRS/3.3.7"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-sqli"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/66"] [tag "PCI/6.5.2"] [tag "paranoia-level/2"] [hostname "192.168.1.71"] [uri "/rest/user/login"] [unique_id "176232823339.923895"] [ref "o11,3v20,15t:urlDecodeUni"]
ModSecurity: Access denied with code 403 (phase 2). Matched "Operator `Ge' with parameter `10' against variable `TX:ANOMALY_SCORE' (Value: `33' ) [file "/usr/share/modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "81"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 33)"] [data ""] [severity "2"] [ver "OWASP_CRS/3.3.7"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "192.168.1.71"] [uri "/rest/user/login"] [unique_id "176232823339.923895"] [ref ""]