Comments (10)
Can you provide any audit log examples? It would help to see the actual transactions.
from owasp-modsecurity-crs.
Here is one example of many...
--ad7db20e-A--
[30/Apr/2013:05:52:21 --0400] UX@UVTJwlUoAAGfO1C4AAAAH 127.0.0.1 40404 127.0.0.1 80
--ad7db20e-B--
GET /arrangor/hestertilkurset/files/ui-bg_highlight-soft_75_cccccc_1x100.png HTTP/1.1
Host: somesite.com
User-Agent: Serf/1.1.0 mod_pagespeed/1.1.23.2-2258
--ad7db20e-F--
HTTP/1.1 200 OK
Last-Modified: Wed, 13 Jan 2010 16:13:25 GMT
ETag: "65-47d0e0cd2d340"
Accept-Ranges: bytes
Content-Length: 101
Content-Type: image/png
--ad7db20e-E--
--ad7db20e-H--
Message: Warning. Operator EQ matched 0 at REQUEST_HEADERS. [file "/etc/httpd/modsecurity.d/activated_rules/modsecurity_crs_21_protocol_anomalies.conf"] [line "47"] [id "960015"] [rev "1"] [msg "Request Missing an Accept Header"] [severity "NOTICE"] [ver "OWASP_CRS/2.2.6"] [maturity "9"] [accuracy "9"] [tag "OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER_ACCEPT"] [tag "WASCTC/WASC-21"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"]
Message: Warning. Operator LT matched 5 at TX:inbound_anomaly_score. [file "/etc/httpd/modsecurity.d/activated_rules/modsecurity_crs_60_correlation.conf"] [line "33"] [id "981203"] [msg "Inbound Anomaly Score (Total Inbound Score: 2, SQLi=, XSS=): Request Missing an Accept Header"]
Stopwatch: 1367315541264090 13623 (- - -)
Stopwatch2: 1367315541264090 13623; combined=538, p1=123, p2=292, p3=3, p4=37, p5=82, sr=16, sw=1, l=0, gc=0
Response-Body-Transformed: Dechunked
Producer: ModSecurity for Apache/2.7.1 (http://www.modsecurity.org/); OWASP_CRS/2.2.6.
Server: Apache
Engine-Mode: "ENABLED"
--ad7db20e-Z--
from owasp-modsecurity-crs.
I would suggest that you implement a local exception to disable rule ID 960015 for mod_pagespeed. Add the following to a modsecurity_crs_15_custom.conf file:
SecRule REMOTE_ADDR "@ipMatch 127.0.0.1" "chain,id:100,t:none,nolog,pass"
SecRule REQUEST_HEADERS:User-Agent "@contains mod_pagespeed" "ctl:ruleRemoveById=960015"
from owasp-modsecurity-crs.
That seemed to work on that instance, but alot of other stuff is still getting blocked. Is there a way to exclude all mode_pagespeed user agent hits?
from owasp-modsecurity-crs.
Sure just turn off the rule engine entirely like this -
SecRule REMOTE_ADDR "@ipMatch 127.0.0.1" "chain,id:100,t:none,nolog,pass"
SecRule REQUEST_HEADERS:User-Agent "@contains mod_pagespeed" "ctl:ruleEngine=Off"
from owasp-modsecurity-crs.
Did this work for you?
from owasp-modsecurity-crs.
Yes, sorry for late reply. Worked great.Thanks!
from owasp-modsecurity-crs.
Good stuff. re: "Sure just turn off the rule engine entirely like this -" - will that match both of Remote Address == 127.0.0.1 AND User-Agent contains 'mod_pagespeed'? Matching both is ideal. Presumably we don't want to turn off the rule engine for all queries emanating from localhost..
from owasp-modsecurity-crs.
Yes - the "chain" rule with the "ctl" action on the last line means that it will turn the rule engine off only if both SecRules match.
from owasp-modsecurity-crs.
@rcbarnett
Nice information, thank you for this, I got some questions if you don't mind:
A) You set id:100 in the first rule, is this needed ? can it be omitted ?
B) Can one set a specific, full string of a User-Agent without @contains ?
C) How about including more, for example checking against HOST as well as the rest ?
I am using the following to remove rules by id similar to your example:
[...] "ctl:ruleRemoveById=981220,ctl:ruleRemoveById=981222,ctl:ruleRemoveById=981405"
I tried:
[...] "ctl:ruleRemoveById=981220,981222,981405"
but I get error on apache restart. I mean is there a more "character-economic" way to write the above ?
Thanks for your attention.
Cheers
from owasp-modsecurity-crs.
Related Issues (20)
- SOAPUI SOAP Tx multipart/related call False Positive id: 920470 HOT 4
- DOS protection is invalid
- Crazy Long Processing time of XML of a certain kinda payload body. HOT 2
- Easy to trigger these rule id blocks just with keywords [932115, 942360]
- DoS rule triggering with static (png) file
- SQLi bypass at PL1(CRS 3.2.0) HOT 1
- JSON Payloads process significantly slower (600%) than XML Payloads of a similar size and format HOT 9
- XSS Attack Detected via libinjection for AWS AWSALBCORS Cookie HOT 4
- Block QQGameHall in UA HOT 4
- Monthly Chat Agenda April (2020-04-06) HOT 1
- NextCloud False Positive HOT 9
- WordPress JetPack False Positive
- Rule 920450 and modsec 3x HOT 4
- Password Scrubbing within the libinjection rule HOT 1
- Monthly Chat Agenda May (2020-05-04) HOT 1
- rule 920300 title / details mismatch HOT 1
- Note config change of tx.allowed_request_content_type in the v3.3 release notes
- false positive on rule 932110
- Incompatible with ModSecurity 3.x? HOT 1
- False positive with WordPress when hosted from http://example.com/update-prefix HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from owasp-modsecurity-crs.