Is there any way to update the pattern of a rule in a modsecurity_crs_custom.conf file? I have a rich text editor that let people wrap up link text. The <a href></a> is raising a warning from rule 973304. I want to exclude href from the pattern but I don't know how to do that. It doesn't look like there is an option along the lines of SecRuleUpdatePatternById
I have tried
SecRuleUpdateTargetById 973304 "XML:\b(background|dynsrc|lowsrc|src)\b\W*?="
But that is obviously not working
Here's the warning:
Message: Access denied with code 403 (phase 2). Pattern match
"\\b(background|dynsrc|href|lowsrc|src)\\b\\W*?=" at ARGS:comment.
[file "/etc/httpd/crs/owasp- modsecurity/crs/base_rules/modsecurity_crs_41_xss_attacks.conf"]
[line "333"] [id "973304"] [rev "2"] [msg "XSS Attack Detected"]
[data "Matched Data: href= found within ARGS:comment:
txt <a href=\x22http://kslll.com/391\x22>dgfdfgfdf </a> ......
I'm not aware of a way of editing the pattern so the easiest way would probably be to ignore the whole rule for that argument:
SecRuleUpdateTargetById 973304 "!ARGS:comment"
If you wanted to keep the other protection the rule gives but not the href bit then you could add a copy of the rule back in again (with a different rule id) but without the href bit.