Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Review exclusion documentation
See original GitHub issue_Issue originally created by user lifeforms on date 2016-03-25 20:20:13. Link to original issue: https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/319._
The file REQUEST-00-LOCAL-WHITELIST.conf.example is rather short. It should contain various examples of common whitelist rules. Some ideas:
Whitelist a cookie from all CRS rules after validating it (should be recommended- this only skips when the value is known to be safe):
SecRule REQUEST_COOKIES:PHPSESSID "^[a-zA-z0-9\-,]+$" \
"id:1,phase:request,t:none,nolog,pass,\
ctl:ruleRemoveTargetByTag=CRS;REQUEST_COOKIES:PHPSESSID"
Whitelist a get/post parameter from all CRS rules
SecRule REQUEST_FILENAME "@endsWith /wp-login.php" \
"id:2,phase:request,t:none,nolog,pass,\
ctl:ruleRemoveTargetByTag=CRS;ARGS:pwd"
Whitelist all get/post parameters from CRS rules
SecRule REQUEST_FILENAME "@endsWith /weirdform.php" \
"id:3,phase:request,t:none,nolog,pass,\
ctl:ruleRemoveTargetByTag=CRS;ARGS"
Whitelist a url completely from CRS rules (should be discouraged)
SecRule REQUEST_FILENAME "@endsWith /weirdform.php" \
"id:4,phase:request,t:none,nolog,pass,\
ctl:ruleRemoveByTag=CRS"
Disable all rules for a platform or language not in use, e.g. platform-windows:
SecRule REQUEST_FILENAME "@endsWith /weirdform.php" \
"id:5,phase:request,t:none,nolog,pass,\
ctl:ruleRemoveByTag=platform-windows"
Disable all the Windows rules for a complete site/vhost:
SecAction \
"id:6,phase:request,t:none,nolog,pass,\
ctl:ruleRemoveByTag=platform-windows"
Explain to create a new .conf file with the same name to make it active (file is now called .conf.example)
Explain that ctl:ruleRemoveTargetById/Tag and ctl:ruleRemoveById/Tag must be run BEFORE the CRS rules. If the user desires to put these whitelistings in a different .conf file, it must be included in Apache config earlier than the CRS.
Maybe also explain the SecRuleRemoveByTag/Id rules. Though these must run AFTER. I don’t know if there is any advantage to them. If so, should we explain it? If not, could we settle on recommending just one system instead of two?
Issue Analytics
- State:
- Created 3 years ago
- Comments:27
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
User csanders-git commented on date 2016-07-26 18:53:53:
There is a massive advantage to using SecRuleRemoveBy* from a performance perspective as it isn’t in memory. It is removed at boot as opposed to being removed per transaction.
User dune73 commented on date 2016-10-03 20:11:46:
Closing in favor of PR #601.