We are getting a lot of False Positives from using 3rd part software on our server. They themselves can't seem to fix it and I'm trying to work out how to allow cookies through that contain "CERTAINSTRING_"
Below is an example of one of the bans. They are all the same rule id
www.mysite.com 27.33.154.111 981231 [15/Dec/2013:12:14:36 +1100]
Pattern match: \
"(/\\*!?|\\*/|[';]--|--[\\s\\r\\n\\v\\f]|(?:--[^-]*?-)|([^\\-&])#.*?[\\s\\r\\n\\v\\f]|;?\\x00)" \
at REQUEST_COOKIES: _CERTAINSTRING. \
[file "/usr/local/apache/conf/modsecurity_crs_41_sql_injection_attacks.conf"] \
[line "49"] \
[id "981231"] \
[rev "2"] \
[msg "SQL Comment Sequence Detected."] \
[data "Matched Data: 1#"
"description::325,1091,/file-path/file-name/999/1,http://www.mysite.com/file-path/file-name/999/1#"
"rev found within REQUEST_COOKIES:_CERTAINSTRING: 240,1091,/file-path/file-name/999/1,http://www.mysite.com/file-path/file-name/999/1#"
"description::325,1091,/file-path/file-name/999/1,http://www.mysite…”] \
[severity "CRITICAL"] \
[ver "OWASP_CRS/2.2.8"] \
[maturity "8"] \
[accuracy "8"] \
[tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] \
[tag "WASCTC/WASC-19"] \
[tag "OWASP_TOP_10/A1"]
Best Answer
You can use SecRuleUpdateTargetById to modify the rule
Which would disable the rule that is causing you pain for request cookies whose name begins with _CERTAINSTRING.
Update:
The rule above needs to be placed after the rule to which it refers is defined. This is normally done by creating a file that is read after all of the CRS rules e.g. based on the location referenced in your audit log message
/usr/local/apache/conf/modsecurity_crs_61_customrules.conf