0

I just ran into a problem with rule 981173 [msg "Restricted SQL Character Anomaly Detection Alert - Total] for sending some youtube IDs to the database. Some IDs has special characters like -, which I guess is the reason a warning was raised

I have been trying to exclude the $_POST key video[391][] from the rule, where 391 is a product id and so it's not a fix key. It can be video[500][] or something alike.

I have tried 

    SecRuleUpdateTargetById 981173 !ARGS:video[*][]

but it isn't working. Any idea on how to excluding this dynamic $_POST key from the rule?

  Message: Access denied with code 403 (phase 2). 
  Pattern match "([\\~\\!\\@\\#\\$\\%\\^\\&\\*\\(\\)\\-\\+\\=\\{\\}\\[\\]\\|\\:\\;\"\\'\\\xc2\xb4\\\xe2\x80\x99\\\xe2\x80\x98\\`\\<\\>].*?){4,}" 
at ARGS_NAMES:video[391][]. [file "/etc/httpd/crs-tecmint/owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"] 
[line "159"] [id "981173"] [rev "2"] 
[msg "Restricted SQL Character Anomaly Detection Alert - Total # of special characters exceeded"] 
[data "Matched Data: ] found within ARGS_NAMES:video[391][]: video[391][]"] [ver "OWASP_CRS/2.2.9"] [maturity "9"] 
[accuracy "8"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"]
RedGiant
  • 4,444
  • 11
  • 59
  • 146
  • 1
    I was almost right. Had ARGS instead of ARGS_NAMES and you can see from your error that ARG_NAMES is what it's flagging. Have corrected now and I tested this on ModSecurity v2.9. – Barry Pollard Sep 08 '15 at 15:55

1 Answers1

2

I think it should be:

SecRuleUpdateTargetById 981173 "!ARGS_NAMES:/^video\[.*\]\[\]/"

or if only numeric ids then this:

SecRuleUpdateTargetById 981173 "!ARGS_NAMES:/^video\[[0-9]*\]\[\]/"

See regular expression example here: https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#SecRuleUpdateTargetById

Barry Pollard
  • 40,655
  • 7
  • 76
  • 92
  • Thank you. I have a special case where the name is `video[s3][product_id][]` Does the first example `"!ARGS_NAMES:/^video\[.*\]\[\]/"` cover that as well? I have tried it and It seems to work for that too, but I want to make sure of it. – RedGiant Sep 08 '15 at 19:31
  • Yes it does but more by luck, and it wasn't my intention because I assumed you had two square brackets and second (and last) one was empty. In this more recent example you have good to three square brackets. But actually this works as the .* matches to "s3][product_id" and then the rest fits. But as I say more by luck than by design! – Barry Pollard Sep 08 '15 at 19:58
  • You could go for the more generic: SecRuleUpdateTargetById 981173 "!ARGS_NAMES:/^video\[.*\]$/" which will batch anything begging with "video[" and ending with "]" – Barry Pollard Sep 08 '15 at 19:59
  • Hmm that last comment has removed the escapes from the square brackets. Make sure you put a \ before the [ and also before the ] characters as these characters have special meaning in regular expressions. – Barry Pollard Sep 08 '15 at 20:10