This article applies to:

• ModSecurity

Question:

• How can I address false positives?
• How do I set up exception handling?

Procedure:

There are many methods of implementing Exception Handling in ModSecurity to address false positive alerts.  This article outlines an approach which will conditionally disable a problematic rule ID (based on the URL) by using the ctl:ruleRemoveById action.

For example, consider the following ModSecurity alert message (formatted for readability):

[Sun Jun 30 13:45:43 2013] [error] [client 192.168.11.143] ModSecurity: Access denied with code 403 
(phase 2). Pattern match "(^[\"'\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98;]+|[\\"'\xc2\xb4\xe2\x80\x99\xe2\x80\x98;]+$)" at ARGS:DocCopyList. 
[file "/etc/modsecurity/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "66"] [id "981318"] [rev "2"] 
[msg "SQL Injection Attack: Common Injection Testing Detected"] 
[data "Matched Data: \xb4 found within ARGS:DocCopyList: \xd9\x8a\xd8\xb4\xd9\x8a\xd8\xb4\xd8\xb3\xd9\x8a\xd8\xb4"] 
[severity "CRITICAL"] [ver "OWASP_CRS/2.2.7"] [maturity "9"] [accuracy "8"] 
[tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] 
[tag "WASCTC/WASC-19"] 
[tag "OWASP_TOP_10/A1"] 
[tag "OWASP_AppSensor/CIE1"] 
[tag "PCI/6.5.2"] 
[hostname "192.168.11.60"] 
[uri "/DMS-V2/doc_out/doc_out_new.php"] 
[unique_id "UdAMV8CoCzwAAHRHMhYAAAAB"]

If rule ID 981318 is causing many issues on the /DMS-V2/doc_out/doc_out_new.php page, you can add the following new rule to a modsecurity_crs_00_custom.conf file:

SecRule REQUEST_FILENAME "@streq /DMS-V2/doc_out/doc_out_new.php" "id:1,phase:1,t:none,nolog,pass,ctl:ruleRemoveById=981318"

Notes:

For general information about ModSecurity see the Reference Manual (one source for this manual is in the Related Links section below).