This article applies to:

• ModSecurity

Question:

• How can I address false positives?
• How do I set up exception handling?

Procedure:

There are many methods of implementing Exception Handling in ModSecurity to address false positive alerts.  This article outlines the easiest approach which is to simply disable a problematic rule ID by using the SecRuleRemoveById directive.

For example, consider the following ModSecurity alert message:

Message: Warning. Pattern match "\bselect\b.{0,40}\buser\b" at ARGS:comment. [file "/usr/local/apache/conf/modsec_current/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "67"] [id "959514"] [rev "2.0.9"] [msg "Blind SQL Injection Attack"] [data "select a new user"] [severity "CRITICAL"] [tag "WEB_ATTACK/SQL_INJECTION"] [tag "WASCTC/WASC-19"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"] [tag "PCI/6.5.2"]

If rule ID 959514 is causing many issues, you can use the following directive by adding it to a modsecurity_crs_99_custom.conf file:

SecRuleRemoveById 959514

Notes:

For general information about ModSecurity see the Reference Manual (one source for this manual is in the Related Links section below).