0

我刚刚遇到了981173 [msg "Restricted SQL Character Anomaly Detection Alert - Total]将一些 youtube ID 发送到数据库的规则问题。有些 ID 有特殊字符-,我猜这是引发警告的原因

我一直在尝试从规则中排除$_POST密钥,产品 ID 在哪里,所以它不是修复密钥。它可以是或类似的东西。video[391][]391video[500][]

我努力了

    SecRuleUpdateTargetById 981173 !ARGS:video[*][]

但它不起作用。关于如何$_POST从规则中排除这个动态键的任何想法?

  Message: Access denied with code 403 (phase 2). 
  Pattern match "([\\~\\!\\@\\#\\$\\%\\^\\&\\*\\(\\)\\-\\+\\=\\{\\}\\[\\]\\|\\:\\;\"\\'\\\xc2\xb4\\\xe2\x80\x99\\\xe2\x80\x98\\`\\<\\>].*?){4,}" 
at ARGS_NAMES:video[391][]. [file "/etc/httpd/crs-tecmint/owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"] 
[line "159"] [id "981173"] [rev "2"] 
[msg "Restricted SQL Character Anomaly Detection Alert - Total # of special characters exceeded"] 
[data "Matched Data: ] found within ARGS_NAMES:video[391][]: video[391][]"] [ver "OWASP_CRS/2.2.9"] [maturity "9"] 
[accuracy "8"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"]
4

1 回答 1

2

我认为应该是:

SecRuleUpdateTargetById 981173 "!ARGS_NAMES:/^video\[.*\]\[\]/"

或者如果只有数字 ID,那么这个:

SecRuleUpdateTargetById 981173 "!ARGS_NAMES:/^video\[[0-9]*\]\[\]/"

在此处查看正则表达式示例:https ://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#SecRuleUpdateTargetById

于 2015-08-26T19:51:34.720 回答