I just ran into a problem with rule 981173
[msg "Restricted SQL Character Anomaly Detection Alert - Total] for sending some youtube IDs to the database. Some IDs has special characters like -, which I guess is the reason a warning was raised
I have been trying to exclude the $_POST key video[391][] from the rule, where 391 is a product id and so it's not a fix key. It can be video[500][] or something alike.
I have tried
SecRuleUpdateTargetById 981173 !ARGS:video[*][]
but it isn't working. Any idea on how to excluding this dynamic $_POST key from the rule?
Message: Access denied with code 403 (phase 2).
Pattern match "([\\~\\!\\@\\#\\$\\%\\^\\&\\*\\(\\)\\-\\+\\=\\{\\}\\[\\]\\|\\:\\;\"\\'\\\xc2\xb4\\\xe2\x80\x99\\\xe2\x80\x98\\`\\<\\>].*?){4,}"
at ARGS_NAMES:video[391][]. [file "/etc/httpd/crs-tecmint/owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"]
[line "159"] [id "981173"] [rev "2"]
[msg "Restricted SQL Character Anomaly Detection Alert - Total # of special characters exceeded"]
[data "Matched Data: ] found within ARGS_NAMES:video[391][]: video[391][]"] [ver "OWASP_CRS/2.2.9"] [maturity "9"]
[accuracy "8"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"]
I think it should be:
SecRuleUpdateTargetById 981173 "!ARGS_NAMES:/^video\[.*\]\[\]/"
or if only numeric ids then this:
SecRuleUpdateTargetById 981173 "!ARGS_NAMES:/^video\[[0-9]*\]\[\]/"
See regular expression example here: https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#SecRuleUpdateTargetById