@Scott ExtonA while back when we talked about ModSecurity with the IBM developers (specifically
@Scott Exton), when they were implementing it into webseal, the IBM developers said it was not possible to customize the rule actions based on the URI (junction) path. On WCP this was possible, although we never used the functionality and rather just had a set of rules we applied in blocking for all paths behind the webseal instances.
Of course we are getting questions about this now from our application teams that want specific rules enabled for blocking. So I am trying to think in my head if there is some way this can be done. Is there anyone on here that may have some deep ModSecurity knowledge or some other ideas to make this happen?
Currently in the webseal WAF (ModSecurity) instance configuration, I am setting this for all phases (1-5):
# SecDefaultAction "phase:1,allow,log,auditlog"# SecDefaultAction "phase:1,deny,status:403,log,auditlog"
Then at the end of the WAF (ModSecurity) rules for the environment (containers or on each virtual appliance) I am setting this in the RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf file (I do this for the various IDs that we want enabled for blocking, in this case we use a redirect instead of a deny):
SecRuleUpdateActionById 932130 "t:none,redirect:'https://%{request_headers.host}/static/waf_block.html',log,auditlog"
This works great for all paths (URIs / junctions) on the webseals. It logs everything by default, and then blocks specific rule IDs.
What we are being asked is to have certain rules blocked for certain URIs / paths / junctions. For example:
/application_secure would block ID 1,5,10,20,50,100
/application_public would block all IDs
/application_internal would not block anything
Can anyone think of any way to do this without having specific SecRule entries for each OWASP rule for each application? For example, would there be any way to say like:
SecRuleUpdateActionById 932130 "t:none,redirect:'https://%{request_headers.host}/static/waf_block.html',log,auditlog" but only for /application_secure
Thanks for your thoughts!
------------------------------
Matt Jenkins
------------------------------