ModSecurity Exception Handling - Conditionally Remove a Rule ID


This article applies to:

  • ModSecurity

Question:

  • How can I address false positives?
  • How do I set up exception handling?

Procedure:

There are many methods of implementing Exception Handling in ModSecurity to address false positive alerts.  This article outlines an approach which will conditionally disable a problematic rule ID (based on the URL) by using the ctl:ruleRemoveById action.

For example, consider the following ModSecurity alert message (formatted for readability):

[Sun Jun 30 13:45:43 2013] [error] [client 192.168.11.143] ModSecurity: Access denied with code 403 
(phase 2). Pattern match "(^[\"'\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98;]+|[\\"'\xc2\xb4\xe2\x80\x99\xe2\x80\x98;]+$)" at ARGS:DocCopyList.
[file "/etc/modsecurity/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "66"] [id "981318"] [rev "2"]
[msg "SQL Injection Attack: Common Injection Testing Detected"]
[data "Matched Data: \xb4 found within ARGS:DocCopyList: \xd9\x8a\xd8\xb4\xd9\x8a\xd8\xb4\xd8\xb3\xd9\x8a\xd8\xb4"]
[severity "CRITICAL"] [ver "OWASP_CRS/2.2.7"] [maturity "9"] [accuracy "8"]
[tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"]
[tag "WASCTC/WASC-19"]
[tag "OWASP_TOP_10/A1"]
[tag "OWASP_AppSensor/CIE1"]
[tag "PCI/6.5.2"]
[hostname "192.168.11.60"]
[uri "/DMS-V2/doc_out/doc_out_new.php"]
[unique_id "UdAMV8CoCzwAAHRHMhYAAAAB"]

If rule ID 981318 is causing many issues on the /DMS-V2/doc_out/doc_out_new.php page, you can add the following new rule to a modsecurity_crs_00_custom.conf file:

SecRule REQUEST_FILENAME "@streq /DMS-V2/doc_out/doc_out_new.php" "id:1,phase:1,t:none,nolog,pass,ctl:ruleRemoveById=981318"

This rule would conditionally disable rule ID 981318 for the current transaction if the client was requesting that webpage.  

Make sure that the modsecurity_crs_00_custom.conf file is activated in the web server configurations so that it is called up BEFORE the normal ModSecurity rules.

Notes:

For general information about ModSecurity see the Reference Manual (one source for this manual is in the Related Links section below).


Last Modified 11/12/2014.
https://support.trustwave.com/kb/KnowledgebaseArticle20056.aspx