This article applies to:
Question:
- How can I address false positives?
- How do I set up exception handling?
Procedure:
There are many methods of implementing Exception Handling in ModSecurity to address false positive alerts. This article outlines the easiest approach which is to simply disable a problematic rule ID by using the SecRuleRemoveById directive.
For example, consider the following ModSecurity alert message:
Message: Warning. Pattern match "\bselect\b.{0,40}\buser\b" at ARGS:comment. [file "/usr/local/apache/conf/modsec_current/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "67"] [id "959514"] [rev "2.0.9"] [msg "Blind SQL Injection Attack"] [data "select a new user"] [severity "CRITICAL"] [tag "WEB_ATTACK/SQL_INJECTION"] [tag "WASCTC/WASC-19"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"] [tag "PCI/6.5.2"]
If rule ID 959514 is causing many issues, you can use the following directive by adding it to a modsecurity_crs_99_custom.conf file:
SecRuleRemoveById 959514
Make sure that the modsecurity_crs_99_custom.conf file is activated in the web server configurations so that it is called up AFTER the normal ModSecurity rules.
Notes:
For general information about ModSecurity see the Reference Manual (one source for this manual is in the Related Links section below).