You can add this rule to the rule file which name is 'REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf':
SecRule SERVER_NAME "lync-external.mydomain.com$" "id:1000,phase:1,pass,nolog,ctl:ruleRemoveTargetById=980130".
This means if the hostname is 'lync-external.mydomain.com',then disable the rule which id is 980130.
I searched google and was unable to find anything with this, appears to be blocked due to sql injection.
[Tue Feb 18 09:41:44.305146 2020] [:error] [pid 24930] [client x.x.x.x:55593] [client x.x.x.x] ModSecurity: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/usr/share/modsecurity-crs/rules/RESPONSE-980-CORRELATION.conf"] [line "86"] [id "980130"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 10 - SQLI=0,XSS=0,RFI=0,LFI=0,RCE=0,PHPI=0,HTTP=0,SESS=0): Request content type is not allowed by policy; individual paranoia level scores: 10, 0, 0, 0"] [tag "event-correlation"] [hostname "lync-external.mydomain.com"] [uri "/ucwa/v1/applications/112568801446/batch"] [unique_id "Xkv3qPUQbEixqmAyRy9RdgAAAAg"], referer: https://lync-external.mydomain.com/lwa/WebPages/LwaClient.aspx?legacy=RmFsc2U!
Is it possible to bypass this just for one virtual host?
Last edit: End User 2020-02-18
You can add this rule to the rule file which name is 'REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf':
SecRule SERVER_NAME "lync-external.mydomain.com$" "id:1000,phase:1,pass,nolog,ctl:ruleRemoveTargetById=980130".
This means if the hostname is 'lync-external.mydomain.com',then disable the rule which id is 980130.
At 2020-02-18 23:48:22, "End User" geico234@users.sourceforge.net wrote:
I searched google and was unable to find anything with this, appears to be blocked due to sql injection.
[Tue Feb 18 09:41:44.305146 2020][:error][pid 24930][client x.x.x.x:55593][client x.x.x.x] ModSecurity: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/usr/share/modsecurity-crs/rules/RESPONSE-980-CORRELATION.conf"][line "86"][id "980130"][msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 10 - SQLI=0,XSS=0,RFI=0,LFI=0,RCE=0,PHPI=0,HTTP=0,SESS=0): Request content type is not allowed by policy; individual paranoia level scores: 10, 0, 0, 0"][tag "event-correlation"][hostname "lync-external.mydomain.com"][uri "/ucwa/v1/applications/112568801446/batch"][unique_id "Xkv3qPUQbEixqmAyRy9RdgAAAAg"], referer: https://lync-external.mydomain.com/lwa/WebPages/LwaClient.aspx?legacy=RmFsc2U!
Is it possible to bypass this just for on virtual host?
Lync 2013
Sent from sourceforge.net because you indicated interest in https://sourceforge.net/p/mod-security/discussion/1298046/
To unsubscribe from further messages, please visit https://sourceforge.net/auth/subscriptions/