ModSecurity: Ignore Array ARGS

Question

I want an exclusion rule for a request to be evaluated at runtime. The body of the request is an array. e.g

["somestring", "someRandomString",....]

This is the rule I have written:

SecRule REQUEST_URI "@beginsWith /my/url" \

              "phase:2,nolog,pass,id:10000,ctl:ruleRemoveTargetById=942100;ARGS"

However, the array ARGS are not excluded. I have not found anything about this in the online docs. Help would be appreciated.

Is this rule defined before 942100 in your config? Rules with the action ctl:ruleRemoveTargetById=942100 actions must be specified *before* the rules they alter, unlike SecRuleUpdateTargetById which must be specified *after* confusingly enough. — Barry Pollard, Jun 04 '19 at 16:54
@BarryPollard I defined it after. Let me check. Also I was thinking the syntax might be off. So it seems the syntax is correct? — Syed Osama Maruf, Jun 05 '19 at 08:49

score 1 · Accepted Answer · answered Jun 05 '19 at 15:25

1

Make sure this is defined before rule 942100.

ctl actions must be specified before the rules they alter, unlike SecRuleUpdateTargetById which must be specified after, confusingly enough.

answered Jun 05 '19 at 15:25

Barry Pollard

40,655
7
76
92

We are revamping our config to allow this; will get back to you when done. – Syed Osama Maruf Jun 06 '19 at 11:12

ModSecurity: Ignore Array ARGS

1 Answers1