-1

We have following rules that are not working and we wanted to white list this warning ( in event viewer ), which contains "testinguri" in URI.

  1. SecRule REQUEST_URI "@contains testinguri\?op\=message" "id:200006,phase:1,nolog,allow,ctl:ruleEngine=DetectionOnly,msg:'Test 1'"

  2. SecRule REQUEST_URI "@beginsWith /en-us/testinguri?op=message" "id:200007,phase:1,nolog,allow,ctl:ruleEngine=DetectionOnly,msg:'Test 2'"

  3. SecRule REQUEST_URI "^/en-us/testinguri?op=message.*" "id:200008,phase:1,nolog,allow,ctl:ruleEngine=DetectionOnly,msg:'Test 3'"

  4. SecRule REQUEST_URI "@contains testinguri" "id:200009,phase:1,nolog,allow,ctl:ruleEngine=DetectionOnly,msg:'Test 4'"

Above rules are for same purpose but we put them if any version of the rule works but no luck.

Below is the warning in the event viewer and we want to allow the URI that have "testinguri" in it. It is running in Detection mode right now.

ModSecurity: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "C:\Program Files\ModSecurity IIS\owasp-modsecurity-crs/rules/RESPONSE-980-CORRELATION.conf"] [line "86"] [id "980130"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 5 - SQLI=0,XSS=0,RFI=0,LFI=0,RCE=5,PHPI=0,HTTP=0,SESS=0): Remote Command Execution: Windows Command Injection; individual paranoia level scores: 5, 0, 0, 0"] [tag "event-correlation"] [hostname "computerName"] [uri "/en-us/testinguri?op=message&to=FULL URI..."] [unique_id "454534234234234"]

Can you please help on this. Thanks.

neuro
  • 13,707
  • 3
  • 31
  • 57
Question and Answer
  • 73
  • 1
  • 6

1 Answers1

0

We were able to figure it out. So created a conf file test.conf and put the rules in that that we wanted to white list.

Then in the modsecurity_iis.conf file added this files reference at last.

This works for us. Hope this will help someone. Thanks.

Bsquare ℬℬ
  • 4,241
  • 11
  • 21
  • 40
Question and Answer
  • 73
  • 1
  • 6