Excluding group of rules for specific arguments

Question

I see many requests blocked in my modsec_audit.log because of sql injection rules applying to JSESSIONID cookie.

I am trying to avoid those rules for that particular cookie name.

My last attempt was:

SecRuleUpdateTargetByTag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION" "!REQUEST_COOKIES:JSESSIONID"

It does not work. Am I missing something?

score 1 · Accepted Answer · answered Sep 03 '16 at 15:15

1

Your syntax looks correct.

Are you specifying this AFTER the SQL Injection rules are loaded into your config? Common mistake.

If not that, then can only suggest you give more details. Including:

Have you restarted Apache to pick up this change?
Can you give an example of errors in your logs?
Have you tried debug mode to give more detail of what's happening and if your override is being picked up?

answered Sep 03 '16 at 15:15

Barry Pollard

A matter of quotes: SecRuleUpdateTargetByTag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION" !REQUEST_COOKIES:'JSESSIONID' – Fabio B. Sep 12 '16 at 08:15

1 Answers1