I am a newcomer to OWASP ModSecurity, and I wanted to know how I should exclude some specific rules for certain URLs.
I've searched and found that I should exclude them in the modsecurity.conf file, but I don't exactly know where it is. Once I find it, I'm not sure how to write the command. I couldn't find anything in the documentation pages.
For example for this rule:
SecRule REQUEST_URI ARGS_NAMES|ARGS|XML:/* "@rx ((?:[~!@#\$%\^&\*\(\)\-\+=\{\}\[\]\|:;\"'´’‘`<>][^~!@#\$%\^&\*\(\)\-\+=\{\}\[\]\|:;\"'´’‘`<>]*?){2})" \
"id:942432,\
phase:2,\
block,\
capture,\
t:none,t:urlDecodeUni,\
msg:'Restricted SQL Character Anomaly Detection (args): # of special characters exceeded (2)',\
logdata:'Matched Data: %{TX.1} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-sqli',\
tag:'paranoia-level/4',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
ver:'OWASP_CRS/4.8.0',\
severity:'WARNING',\
setvar:'tx.inbound_anomaly_score_pl4=+%{tx.warning_anomaly_score}',\
setvar:'tx.sql_injection_score=+%{tx.warning_anomaly_score}'"
The mentioned rule from CRS 4.8.0 is 942432. The file modsecurity.org is part of ModSecurity. If you want to make an exclusion, you should put it into REQUEST-900-EXCLUSIONS-BEFORE.conf.
First, copy/move this file without .example suffix, then add the exclusions which would be something like this:
SecRule REQUEST_URI "@beginsWith /your/uri" \
"id:10000,\
phase:1,\
pass,\
nolog,\
ctl:ruleRemoveById=942432"
This rule will prevent to execution of the rule 942432 IF the uri begins with /your/uri.
For more information, please read the tuning section of CRS.