RedGiant
Reputation: 4748
Updating an arugement of a ModSecurity Core Rule
I have a big form that probably needs to send 1000 POST DATA arguments at most. Sometimes it would triggers a false alarm from rule 960335 of the OWASP Core rulset. I looked into that rule in modsecurity_crs_23_request_limits.conf but I can't figure out how to set the max_num_args higher on that specific form.
In modsecurity_crs_60_customrules.conf, I have tried:
<LocationMatch "/form.php">
SecRuleUpdateTargetById 960335 ARGS:"@gt %1000"
</LocationMatch>
But the syntax check gave me this error
`Updating target by ID with no ruleset in this context`
Can anyone tell me how to set the max_num_args higher?
Here's rule 960335:
SecRule &TX:MAX_NUM_ARGS "@eq 1" "chain,phase:2,t:none,block,
msg:'Too many arguments in request',id:'960335',
severity:'4',rev:'2',ver:'OWASP_CRS/2.2.9',maturity:'9',
accuracy:'9',tag:'OWASP_CRS/POLICY/SIZE_LIMIT'"
SecRule &ARGS "@gt %{tx.max_num_args}" "t:none,setvar:'tx.msg=%{rule.msg}',
setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},
setvar:tx.%{rule.id}-OWASP_CRS/POLICY/SIZE_LIMIT-%{matched_var_name}=%{matched_var}"
Upvotes: 0
Views: 1698
Answers (1)
Barry Pollard
Reputation: 46050
This is set in the modsecurity_crs_10_setup.conf file:
# -- Maximum number of arguments in request limited
SecAction \
"id:'900006', \
phase:1, \
t:none, \
setvar:tx.max_num_args=255, \
nolog, \
pass"
Upvotes: 1
Related Questions
- ModSecurity rule 214940 warning
- Add rule to mod_security via .htaccess
- Mod security rule breaking Apache configtest
- Extra sensitive Mod Security rules giving 403 forbidden error
- ModSecurity: No action id present within the rule
- Disaabe rule by ID in modsecurity on apache
- Updating Apache Mod Security Core Rule OWASP Rule 950120 to allow URLs in one specific input
- Modsecurity create config file with rules for specific URL
- Using Regular Expression in updating an argument in Mod Security Core Ruleset OWASP
- How can I modify a pattern in Modsecurity Core Rule Set