mod_pagespeed and modsecurity together fail about owasp-modsecurity-crs HOT 10 CLOSED

Can you provide any audit log examples? It would help to see the actual transactions.

from owasp-modsecurity-crs.

Here is one example of many...

--ad7db20e-A--
[30/Apr/2013:05:52:21 --0400] UX@UVTJwlUoAAGfO1C4AAAAH 127.0.0.1 40404 127.0.0.1 80
--ad7db20e-B--
GET /arrangor/hestertilkurset/files/ui-bg_highlight-soft_75_cccccc_1x100.png HTTP/1.1
Host: somesite.com
User-Agent: Serf/1.1.0 mod_pagespeed/1.1.23.2-2258

--ad7db20e-F--
HTTP/1.1 200 OK
Last-Modified: Wed, 13 Jan 2010 16:13:25 GMT
ETag: "65-47d0e0cd2d340"
Accept-Ranges: bytes
Content-Length: 101
Content-Type: image/png

--ad7db20e-E--

--ad7db20e-H--
Message: Warning. Operator EQ matched 0 at REQUEST_HEADERS. [file "/etc/httpd/modsecurity.d/activated_rules/modsecurity_crs_21_protocol_anomalies.conf"] [line "47"] [id "960015"] [rev "1"] [msg "Request Missing an Accept Header"] [severity "NOTICE"] [ver "OWASP_CRS/2.2.6"] [maturity "9"] [accuracy "9"] [tag "OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER_ACCEPT"] [tag "WASCTC/WASC-21"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"]
Message: Warning. Operator LT matched 5 at TX:inbound_anomaly_score. [file "/etc/httpd/modsecurity.d/activated_rules/modsecurity_crs_60_correlation.conf"] [line "33"] [id "981203"] [msg "Inbound Anomaly Score (Total Inbound Score: 2, SQLi=, XSS=): Request Missing an Accept Header"]
Stopwatch: 1367315541264090 13623 (- - -)
Stopwatch2: 1367315541264090 13623; combined=538, p1=123, p2=292, p3=3, p4=37, p5=82, sr=16, sw=1, l=0, gc=0
Response-Body-Transformed: Dechunked
Producer: ModSecurity for Apache/2.7.1 (http://www.modsecurity.org/); OWASP_CRS/2.2.6.
Server: Apache
Engine-Mode: "ENABLED"

--ad7db20e-Z--

from owasp-modsecurity-crs.

I would suggest that you implement a local exception to disable rule ID 960015 for mod_pagespeed. Add the following to a modsecurity_crs_15_custom.conf file:

SecRule REMOTE_ADDR "@ipMatch 127.0.0.1" "chain,id:100,t:none,nolog,pass"
SecRule REQUEST_HEADERS:User-Agent "@contains mod_pagespeed" "ctl:ruleRemoveById=960015"

from owasp-modsecurity-crs.

That seemed to work on that instance, but alot of other stuff is still getting blocked. Is there a way to exclude all mode_pagespeed user agent hits?

from owasp-modsecurity-crs.

Sure just turn off the rule engine entirely like this -

SecRule REMOTE_ADDR "@ipMatch 127.0.0.1" "chain,id:100,t:none,nolog,pass"
SecRule REQUEST_HEADERS:User-Agent "@contains mod_pagespeed" "ctl:ruleEngine=Off"

from owasp-modsecurity-crs.

Did this work for you?

from owasp-modsecurity-crs.

Yes, sorry for late reply. Worked great.Thanks!

from owasp-modsecurity-crs.

Good stuff. re: "Sure just turn off the rule engine entirely like this -" - will that match both of Remote Address == 127.0.0.1 AND User-Agent contains 'mod_pagespeed'? Matching both is ideal. Presumably we don't want to turn off the rule engine for all queries emanating from localhost..

from owasp-modsecurity-crs.

Yes - the "chain" rule with the "ctl" action on the last line means that it will turn the rule engine off only if both SecRules match.

from owasp-modsecurity-crs.

@rcbarnett
Nice information, thank you for this, I got some questions if you don't mind:

A) You set id:100 in the first rule, is this needed ? can it be omitted ?
B) Can one set a specific, full string of a User-Agent without @contains ?
C) How about including more, for example checking against HOST as well as the rest ?

I am using the following to remove rules by id similar to your example:

[...] "ctl:ruleRemoveById=981220,ctl:ruleRemoveById=981222,ctl:ruleRemoveById=981405"
I tried:
[...] "ctl:ruleRemoveById=981220,981222,981405"
but I get error on apache restart. I mean is there a more "character-economic" way to write the above ?

Thanks for your attention.
Cheers

from owasp-modsecurity-crs.