How can I modify a pattern in Modsecurity Core Rule Set
Question
Is there any way to update the pattern of a rule in a modsecurity_crs_custom.conf file? I have a rich text editor that let people wrap up link text. The <a href></a> is raising a warning from rule 973304 . I want to exclude href from the pattern but I don't know how to do that. It doesn't look like there is an option along the lines of SecRuleUpdatePatternById
I have tried SecRuleUpdateTargetById 973304 "XML:\\b(background|dynsrc|lowsrc|src)\\b\\W*?="
But that is obviously not working
Here's the warning:
Message: Access denied with code 403 (phase 2). Pattern match
"\\b(background|dynsrc|href|lowsrc|src)\\b\\W*?=" at ARGS:comment.
[file "/etc/httpd/crs/owasp- modsecurity/crs/base_rules/modsecurity_crs_41_xss_attacks.conf"]
[line "333"] [id "973304"] [rev "2"] [msg "XSS Attack Detected"]
[data "Matched Data: href= found within ARGS:comment:
txt <a href=\x22http://kslll.com/391\x22>dgfdfgfdf </a> ......
1 answers
solution1
1 ACCPTED 2015-08-22 13:32:32
I'm not aware of a way of editing the pattern so the easiest way would probably be to ignore the whole rule for that argument:
SecRuleUpdateTargetById 973304 "!ARGS:comment"
If you wanted to keep the other protection the rule gives but not the href bit then you could add a copy of the rule back in again (with a different rule id) but without the href bit.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.