Nicholas,
Core Rule ID # 950004
searches the REQUEST_HEADERS variable, which includes all request headers including
Cookies. If you wanted to make an exclusion to not inspect Cookies at all
for this XSS rule, then add the following to the rule variable line -
!REQUEST_HEADERS:Cookie. While this would work, I would recommend that
you try not to alter the Core Rules themselves but rather contain your
custom/local updates to a separate config file. The best solution is to
create a custom rules file called – modsecurity_crs_15_customrules.conf
– and place it in the same directory as the other Core rules. The
name of this file is important as you want it to be read just after the
modsecurity_crs_10_config.conf file. Having your custom rules read next
allows you to override other Core Rules sigs that are causing false positives
in your environment. Here is an ls listing of the Core Rules directory -
# ls
CHANGELOG
modsecurity_crs_20_protocol_violations.conf
modsecurity_crs_50_outbound.conf
LICENSE
modsecurity_crs_30_http_policy.conf
modsecurity_crs_55_marketing.conf
modsecurity-core-rules_2.0-1.2.tar
modsecurity_crs_35_bad_robots.conf
README
modsecurity_crs_10_config.conf
modsecurity_crs_40_generic_attacks.conf
modsecurity_crs_15_customrules.conf modsecurity_crs_45_trojans.conf
Next, let’s look at
the custom rules file -
# cat modsecurity_crs_15_customrules.conf
# XSS
SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Cookie "(?:\b(?:on(?:(?:mo(?:use(?:o(?:ver|ut)|down|move|up)|ve)|key(?:press|down|up)|c(?:hange|lick)|s(?:elec|ubmi)t|(?:un)?load|dragdrop|resize|focus|blur)\b\W*?=|abort\b)|(?:l(?:owsrc\b\W*?\b(?:(?:java|vb)script|shell)|ivescript)|(?:href|url)\b\W*?\b(?:(?:java|vb)script|shell)|mocha):|type\b\W*?\b(?:text\b(?:\W*?\b(?:j(?:ava)?|ecma)script\b|
[_vbscript_])|application\b\W*?\bx-(?:java|vb)script\b)|s(?:(?:tyle\b\W*=.*\bexpression\b\W*|ettimeout\b\W*?)\(|rc\b\W*?\b(?:(?:java|vb)script|shell|http):)|(?:c(?:opyparentfolder|reatetextrange)|get(?:special|parent)folder|background-image:|@import)\b|a(?:ctivexobject\b|lert\b\W*?\())|<(?:(?:body\b.*?\b(?:backgroun|onloa)d|input\b.*?\\btype\b\W*?\bimage)\b|!\[CDATA\[|script|meta)|.(?:(?:execscrip|addimpor)t|(?:fromcharcod|cooki)e|innerhtml)\b)"
\
"log,id:1,severity:2,msg:'Cross-site Scripting
(XSS) Attack'"
<LocationMatch />
SecRuleRemoveByID 950004
</LocationMatch>
We are doing 2 things
here –
- We have copied Rule ID # 950004, however we have updated it to
include our new Cookie header exclusion. We have also given this
rule a new Rule ID # of 1. FYI – if you are creating custom
rules, use the range between 1-99999. See the updated Reference
Manual for more information on ID range reservations.
- We also added in an Apache LocationMatch directive that contains
the SecRuleRemoveById directive that will remove the Core Rule ID # 950004
that was causing you problems.
With this type of
methodology, you can create custom exclusions that get executed prior to the
Core Rules and it allows for easy updating of the Core Rules themselves.
What we don’t want to have happen is that people have altered the
Core Rules files themselves so much for their environment that they do not want
to upgrade in the future because they would have to re-implement all of their
custom configs. With this scenario, you can download new Core Rules
versions as they are released and then just copy over your
modsecurity_crs_customrules.conf file and you are ready to go J
Ryan C. Barnett
Director
of Application Security Training
Breach
Security, Inc.
Phone: 703-794-2248
Cell: 703-269-8998
Ryan.Barnett@xxxxxxxxxx
www.Breach.com
From:
mod-security-users-bounces@xxxxxxxxxxxxxxxxxxxxx [mailto:mod-security-users-bounces@xxxxxxxxxxxxxxxxxxxxx]
On Behalf Of Nicholas Vulgrinski
Sent: Friday, January 26, 2007
10:06 AM
To:
mod-security-users@xxxxxxxxxxxxxxxxxxxxx
Subject: [mod-security-users]
REQUEST_COOKIES_NAMES
Can I use
REQUEST_COOKIES_NAMES to exclude cookie names from being include a XSS rule
match (950004)? Adding !REQUEST_COOKIES_NAMES does not seems to work.
Is there a way to exclude cookie names that include .cookie in their name from
triggering using some thing like !REQUEST_COOKIES_NAMES:[.]cookie
It's here! Your new message!
Get new email alerts with the free Yahoo! Toolbar.
