Review exclusion documentation
See original GitHub issue_Issue originally created by user lifeforms on date 2016-03-25 20:20:13. Link to original issue: https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/319._
The file REQUEST-00-LOCAL-WHITELIST.conf.example
is rather short. It should contain various examples of common whitelist rules. Some ideas:
Whitelist a cookie from all CRS rules after validating it (should be recommended- this only skips when the value is known to be safe):
SecRule REQUEST_COOKIES:PHPSESSID "^[a-zA-z0-9\-,]+$" \
"id:1,phase:request,t:none,nolog,pass,\
ctl:ruleRemoveTargetByTag=CRS;REQUEST_COOKIES:PHPSESSID"
Whitelist a get/post parameter from all CRS rules
SecRule REQUEST_FILENAME "@endsWith /wp-login.php" \
"id:2,phase:request,t:none,nolog,pass,\
ctl:ruleRemoveTargetByTag=CRS;ARGS:pwd"
Whitelist all get/post parameters from CRS rules
SecRule REQUEST_FILENAME "@endsWith /weirdform.php" \
"id:3,phase:request,t:none,nolog,pass,\
ctl:ruleRemoveTargetByTag=CRS;ARGS"
Whitelist a url completely from CRS rules (should be discouraged)
SecRule REQUEST_FILENAME "@endsWith /weirdform.php" \
"id:4,phase:request,t:none,nolog,pass,\
ctl:ruleRemoveByTag=CRS"
Disable all rules for a platform or language not in use, e.g. platform-windows
:
SecRule REQUEST_FILENAME "@endsWith /weirdform.php" \
"id:5,phase:request,t:none,nolog,pass,\
ctl:ruleRemoveByTag=platform-windows"
Disable all the Windows rules for a complete site/vhost:
SecAction \
"id:6,phase:request,t:none,nolog,pass,\
ctl:ruleRemoveByTag=platform-windows"
Explain to create a new .conf file with the same name to make it active (file is now called .conf.example)
Explain that ctl:ruleRemoveTargetById/Tag
and ctl:ruleRemoveById/Tag
must be run BEFORE the CRS rules. If the user desires to put these whitelistings in a different .conf file, it must be included in Apache config earlier than the CRS.
Maybe also explain the SecRuleRemoveByTag/Id
rules. Though these must run AFTER. I don’t know if there is any advantage to them. If so, should we explain it? If not, could we settle on recommending just one system instead of two?
Issue Analytics
- State:
- Created 3 years ago
- Comments:27
Top GitHub Comments
User csanders-git commented on date 2016-07-26 18:53:53:
There is a massive advantage to using SecRuleRemoveBy* from a performance perspective as it isn’t in memory. It is removed at boot as opposed to being removed per transaction.
User dune73 commented on date 2016-10-03 20:11:46:
Closing in favor of PR #601.