I need to modify specific regular expressions in the following rule(ID: 932130 - file REQUEST-932-APPLICATION-ATTACK-RCE.conf) without changing the original file:
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?:\$(?:\((?:\(.*\)|.*)\)|\{.*\})|[<>]\(.*\))" \
So the point is I need to exclude from the ARGS variable the last part of regex - [<>](.*))
I tried with SecRuleUpdateTargetById 932130 "!ARGS:/[<>]\(.*\)/" command in RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf but no luck.
I am grateful for your help.
CodePudding user response:
CRS Dev-On-Duty here. You can not change the regular expression of this rule.
If you have to tune an OWASP ModSecurity Core Rule Set (CRS) rule, you have the following possibilities:
Remove the rule entirely with
SecRuleRemoveById 932130-> include after CRS -> not recommended, there are more granular possibilities like:Remove the rule for a specific argument
SecRuleUpdateTargetById 932130 "ARGS:yourArg"-> include after CRSRemove the rule for a specific argument in combination with additional conditions like a path for example -> include before CRS
SecRule REQUEST_URI "@beginsWith /my/path"
"phase:1,nolog,pass,id:10000,ctl:ruleRemoveTargetById=932130;ARGS:yourArg"
If you want to learn more about the tuning of false positives in CRS, I highly recommend the CRS co-leaders tutorials, especially this one: https://www.netnea.com/cms/apache-tutorial-8_handling-false-positives-modsecurity-core-rule-set/.
CodePudding user response:
Thank you for your response.
I resolved this by removing ARGS from the 932130 rule with command SecRuleUpdateTargetById 932130 "!ARGS" inside RESPONSE-999-ECLUSION-RULES-AFTER.CRS.conf.
After that, I created a new rule in my custom file(before CRS) same as 932130 but only with the ARGS variable and without regex [<>](.*)). So the original file has not been manually modified.
In this case, the variable holds the table name and field(example - ARGS[equipment][description] which is dynamic - more tables with the same field. The description field has the HTML paragraph tag <p> and, whenever the user types something in brackets like (test), it triggers rule 932130 and matched value is like >(test).