1

I want to create an exclusion to disable specific rule (ID:920180) in my system. how should i write the syntax in REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf

Here my exclusion but I'm not sure fully covered to disable it:

SecRule REQUEST_HEADERS:Transfer-Encoding "@eq 0" "id:91001,phase:1,msg:'POST without Content-Length or Transfer-Encoding headers',pass,nolog,noauditlog,ctl:ruleRemovebyID=920180"

The error which I want to apply exclusion to this:

ModSecurity: Warning. Matched "Operator `Eq' with parameter `0' against variable `REQUEST_HEADERS:Transfer-Encoding' (Value: `0' ) [file "/etc/nginx/modsecurity/coreruleset/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "222"] [id "920180"] [rev ""] [msg "POST without Content-Length or Transfer-Encoding headers"] [data "HTTP/1.1"] [severity "4"] [ver "OWASP_CRS/3.3.0"] [maturity "0"] [accuracy "0"] [hostname "127.00.00.00"] [uri "/sample/api"] [unique_id "3562345"] [ref "v7,4"]

This is the actual rule from documentation ID: 920180 . https://github.com/SpiderLabs/owasp-modsecurity-crs/blob/v3.0/master/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf#L280

neuro
  • 14,948
  • 3
  • 36
  • 59
hammer89
  • 343
  • 1
  • 5
  • 13

1 Answers1

2

Your exclusion rule is almost correct. But the & in front of REQUEST_HEADERS:Transfer-Encoding is missing.

&REQUEST_HEADERS:Transfer-Encoding (with the ampersand) counts the numbers of Transfer-Encoding headers.

Without the & (ampersand), the content of the Transfer-Encoding header is compared to the value 0.

I'm not sure whether you really want to remove the rule in general for nonexistent Transfer-Encoding headers, or whether you want to restrict this to certain clients (IP addresses, user agents, ...). But that is your decision. I don't know exactly what you need.

But in any case, this exclusion rule will now work.

By the way: The current OWASP Core Rule Set repository is https://github.com/coreruleset/coreruleset/.

franbuehler
  • 435
  • 2
  • 8
  • Hey @franbuehler, yea I want to disable this rule on my system. As you said I updated my rule. `SecRule &REQUEST_HEADERS:Transfer-Encoding "@eq 0" "id:91001,phase:1,msg:'POST without Content-Length or Transfer-Encoding headers',pass,nolog,noauditlog,ctl:ruleRemovebyID=920180"` `SecRule &REQUEST_HEADERS:Content-Length "@eq 0" "id:91002,phase:1,msg:'POST without Content-Length or Transfer-Encoding headers',pass,nolog,noauditlog,ctl:ruleRemovebyID=920180"` I wrote 2 rules one of them for transfer-encoding and the other one for content-lenght. Can I disable it in one rule for these 2 rules? – hammer89 Jun 04 '21 at 07:26
  • This error containers two different header. For each header should I create different rule or can I write with just one rule? Another quick question. What is the first id in command I couldnt figure out. Is this unique id for the rule? I thought like that and I gave the random number :) – hammer89 Jun 04 '21 at 07:29
  • If you want to disable the rule in case of a missing Transfer-Encoding header OR a missing Content-Length header means you entirely disable this rule because this is what the rule is meant for. And for this reason, to entirely disable the rule, you can use: `SecRuleRemoveById 920180`. – franbuehler Jun 04 '21 at 10:51
  • You mean the `id:91001`? This is the id of the exclusion rule you create. Every rule has to have an id. They must not collide with the rule numbers of the CRS 9xxxxx and other rule numbers. In this documentation you'll find the rule id ranges: https://coreruleset.org/docs/ruleid.html. So this part here is relevant for you: "1-99,999; reserved for local (internal) use. Use as you see fit but do not use this range for rules that are distributed to others." – franbuehler Jun 04 '21 at 11:04
  • 1
    You're very welcome :-) Franziska from the OWASP CRS team – franbuehler Jun 04 '21 at 12:26