Description
With the changes to CRS_41_SQLi a few versions ago where multiple rules were combined into a single regex, I've often found it would be useful to be able to do this:
SecRule &TX:973338-OWASP_CRS/WEB_ATTACK/XSS-ARGS:%{tx.1} "@ge 1" "setvar:tx.anomaly_score=-%{tx.critical_anomaly_score}"
For example, in rule 973338, there are several regex branches we want to keep, but one of them is overly broad for our purposes (i.e. [\s\S]style[\s\S]), and I'd like to write a score adjustment only if that rule is matched, and the args value is "\wstyle_sheet.jsp$."
These are the current work-arounds I know of, but none of them are ideal:
1.) I could remove the rule, but that prevents other less aggressive branches from matching as well.
2.) I could write a score adjustment without checking that the rule matches, but this opens the possibility that future CRS changes may change the rule and points would be given back arbitrarily.
3.) I could rewrite the rule (e.g. remove in CRS_99 and add modified rule to CRS_15), but that seems like a kludge, and if I only want to rewrite for specific URIs, ARGS, etc, it gets even messier (end up adding three or more rules rules, instead of one score adjustment).
If there is a way to do this in 2.9.X and I'm just messing up the syntax, PLEASE let me know, but debug suggests it's not being expanded. I've run into this issue 5-10 times over the last year or two and I figured it's finally time to just submit a request.