Disabling Mod based on a specific URI -

 

If you do not have any rules running in phase:1, then you can use Apache scope directives to disable Mod based on the URI location -

 

<Location "/myscripts/script.php">

SecRuleEngine Off

</Location>

 

If you do have phase:1 rules, then you will need to use only Mod rules -

 

SecRule REQUEST_FILENAME "^/myscripts/script\.php$" "phase:1,t:none,nolog,allow,ctl:ruleEngine=Off"

 

Excluding the ARGS:message variable from inspection –

 

If you want to exclude the ARGS:message variable since there are too many false positives, you first need to figure out exactly which rulesets are causing the FPs.  I would guess that this is mostly contained to the modsecurity_crs_40_generic_attacks.conf file.  What you will need to do is to update each rule with “!ARGS:message” variable exclusion like this –

 

# Session fixation

SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|!ARGS:message “(?:\.cookie\b.*?;\W*?(?:expires|domain)\W*?=|\bhttp-equiv\W+set-cookie\b)” \

        “capture,ctl:auditLogParts=+E,log,auditlog,msg:’Session Fixation. Matched signature <%{TX.0}>’,,id:’950009’,severity:’2’”

 

Excluding the ARGS:message variable only if it is part of the “/myscripts/script.php” script –

 

Combine the two previous concepts.  

 

<Location "/myscripts/script.php">

# Session fixation

SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|!ARGS:message “(?:\.cookie\b.*?;\W*?(?:expires|domain)\W*?=|\bhttp-equiv\W+set-cookie\b)” \

        “capture,ctl:auditLogParts=+E,log,auditlog,msg:’Session Fixation. Matched signature <%{TX.0}>’,,id:’950009’,severity:’2’”

</Location>

 

You could also have these new rules in separate files and then call them up with Apache Includes –

 

<Location "/myscripts/script.php">

Include conf/rules/custom_rules.conf

</Location>

 

FYI – we are working on some ModSecurity enhancements that will help with exclusions such as have SecRuleRemoveById and skipto actions.  These will help with controlling when and where to apply exceptions.

 

Hope this helps.

 

--

Ryan C. Barnett

ModSecurity Community Manager

Breach Security: Director of Training

Web Application Security Consortium (WASC) Member

CIS Apache Benchmark Project Lead

SANS Instructor, GCIA, GCFA, GCIH, GSNA, GCUX, GSEC

Author: Preventing Web Attacks with Apache

 

 

 

> -----Original Message-----

> From: donnydark [mailto:donnydark <at> gmail.com]

> Sent: Saturday, September 01, 2007 9:37 AM

> To: Ryan Barnett

> Cc: mod-security-users <at> lists.sourceforge.net

> Subject: Re[2]: [mod-security-users] how to except a url

>

> >> How exactly do you make an exception for a specific script and arg?

> >> SecRule REQUEST_FILENAME "^/myscripts/script\.php$" "nolog,allow"

> >> SecRule ARGS:message

> >[Ryan Barnett] What version of ModSecurity are you using?  From your use

> >of SecRule, I am assuming v2.x.  So, is your intent to disable rule

> >processing entirely for the /myscripts/script.php file or for any

> >argument whose name is "message" or a combination of both where you just

> >want to exclude the message parameter on that one page?

>

> 2.1.2

>

> I am interested in the solutions to all three examples you name.

>

> However what I intended to ask for was the third.  "a combination of

> both where you just want to exclude the message parameter on that

> one page".

>

> Can you provide an example please?

>

> --

> Best regards,

>  donnydark                            mailto:donnydark <at> gmail.com