September 2015

Example Whitelisting Rules for Apache ModSecurity and the OWASP Core Rule Set


Recently, I've spent a lot of time tweaking my ModSecurity configuration to remove some false positives.

This tutorial will:

  • Explain the the various methods of altering ModSecurity rules starting with the crudest and working up to the more specific techniques
  • Give some varied examples of custom rules written for exception handling, with a particular focus on the rules distributed by the OWASP Core Rule Set team.

I am calling the process of removing false positives "whitelisting", but technically I should be calling it "exception handling". However, I think more people looking for this information will find it by searching for "whitelisting".