Richard Jones
2016-01-14 14:45:35 UTC
Hi All,
This list seems to be quite low volume, so if questions like the one
below are inappropriate then please let me know.
I’ve identified a few false positives for a web form on one of our
sites. The method is a POST and a sample of the cookie as follows
Cookie: VarQuestion_0001=Lots%of%percent%signs%and%similar%here%and%SQL%like%statements%select%join%delete
I’ve been trying to put together an exception for cookies with these
names but can’t get the syntax right. Can anyone help?
The following seems to parse but I’ve no idea if it’s working or not.
Specifically I doubt that chain will extend to all the following
SecRuleUpdate’s.
SecRule REQUEST_URI “(?i)/+nmsruntime” \
“chain,id:’000002’,phase:1,t:none,pass,log”
SecRuleUpdateTargetById 981317 “!REQUEST_COOKIES:/^VarQuestion_[0-9]+/”
SecRuleUpdateTargetById 981257 “!REQUEST_COOKIES:/^VarQuestion_[0-9]+/”
SecRuleUpdateTargetById 981245 “!REQUEST_COOKIES:/^VarQuestion_[0
And using the Anomaly scoring method I couldn’t work out how to update
the REQUEST_COOKIE target to exclude these cookies, and it doesn’t look
like I can use a regex to capture VarQuestion_[0-9]+.
Thanks,
Richard
This list seems to be quite low volume, so if questions like the one
below are inappropriate then please let me know.
I’ve identified a few false positives for a web form on one of our
sites. The method is a POST and a sample of the cookie as follows
Cookie: VarQuestion_0001=Lots%of%percent%signs%and%similar%here%and%SQL%like%statements%select%join%delete
I’ve been trying to put together an exception for cookies with these
names but can’t get the syntax right. Can anyone help?
The following seems to parse but I’ve no idea if it’s working or not.
Specifically I doubt that chain will extend to all the following
SecRuleUpdate’s.
SecRule REQUEST_URI “(?i)/+nmsruntime” \
“chain,id:’000002’,phase:1,t:none,pass,log”
SecRuleUpdateTargetById 981317 “!REQUEST_COOKIES:/^VarQuestion_[0-9]+/”
SecRuleUpdateTargetById 981257 “!REQUEST_COOKIES:/^VarQuestion_[0-9]+/”
SecRuleUpdateTargetById 981245 “!REQUEST_COOKIES:/^VarQuestion_[0
And using the Anomaly scoring method I couldn’t work out how to update
the REQUEST_COOKIE target to exclude these cookies, and it doesn’t look
like I can use a regex to capture VarQuestion_[0-9]+.
Thanks,
Richard
--
http://www.jonze.com/privacy.html
http://www.jonze.com/privacy.html