apiVersion: v1 kind: ConfigMap metadata: name: response-999-exclusion-rules-after-crs-config namespace: nginx data: RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf: |- # ------------------------------------------------------------------------ # OWASP ModSecurity Core Rule Set ver.3.3.4 # Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved. # Copyright (c) 2021-2022 Core Rule Set project. All rights reserved. # # The OWASP ModSecurity Core Rule Set is distributed under # Apache Software License (ASL) version 2 # Please see the enclosed LICENSE file for full details. # ------------------------------------------------------------------------ # # The purpose of this file is to hold LOCAL exceptions for your site. # The types of rules that would go into this file are one where you want # to unconditionally disable rules or modify their actions during startup. # # Please see the file REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example # for a description of the rule exclusions mechanism and the correct # use of this file. # # # Example Exclusion Rule: To unconditionally disable a rule ID # # ModSecurity Rule Exclusion: 942100 SQL Injection Detected via libinjection # SecRuleRemoveById 942100 # Example Exclusion Rule: Remove a group of rules # # ModSecurity Rule Exclusion: Disable PHP injection rules # SecRuleRemoveByTag "attack-injection-php" # # Example Exclusion Rule: To unconditionally remove parameter "foo" from # inspection for SQLi rules # # ModSecurity Rule Exclusion: disable sqli rules for parameter foo. # SecRuleUpdateTargetByTag "attack-sqli" "!ARGS:foo" # -- [[ Changing the Disruptive Action for Anomaly Mode ]] -- # # In Anomaly Mode (default in CRS3), the rules in REQUEST-949-BLOCKING-EVALUATION.conf # and RESPONSE-959-BLOCKING-EVALUATION.conf check the accumulated attack scores # against your policy. To apply a disruptive action, they overwrite the default # actions specified in SecDefaultAction (setup.conf) with a 'deny' action. # This 'deny' is by default paired with a 'status:403' action. # # In order to change the disruptive action from 'deny' to something else, # you must use SecRuleUpdateActionByID directives AFTER the CRS rules # are configured, for instance in the RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf file. # # These actions only apply when using Anomaly Mode. # # Default action: block with error 403 # (No configuration needed in this file if you want the default behavior.) # # Example: redirect back to the homepage on blocking # # SecRuleUpdateActionById 949110 "t:none,redirect:'http://%{request_headers.host}/'" # SecRuleUpdateActionById 959100 "t:none,redirect:'http://%{request_headers.host}/'" # Example: redirect to another URL on blocking # # SecRuleUpdateActionById 949110 "t:none,redirect:'http://example.com/report_problem'" # SecRuleUpdateActionById 959100 "t:none,redirect:'http://example.com/report_problem'" # Example: send an error 404 # # SecRuleUpdateActionById 949110 "t:none,deny,status:404" # SecRuleUpdateActionById 959100 "t:none,deny,status:404" # Example: drop the connection (best for DoS attacks) # # SecRuleUpdateActionById 949110 "t:none,drop" # SecRuleUpdateActionById 959100 "t:none,drop" # CR/LF + HTTP method name. SecRuleRemoveByID 921110 # US-ASCII Malformed Encoding XSS Filter - Attack Detected # Deleted because of use of multilaguage support # https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/1645 SecRuleRemoveByID 941310