Following up on Josh's comment – the OWASP CRS is a "ruleset" and you can run into configuration challenges if you decide to try and break it apart any only use certain subsets.  I would try and keep these main 10 setup file in tact and then customize it for you env.

-Ryan

From: Josh Amishav-Zlatin <jamuse@owasp.org>
Date: Wednesday, May 22, 2013 10:59 AM
To: Thomas Eckert <thomas.r.w.eckert@gmail.com>
Cc: "mod-security-users@lists.sourceforge.net" <mod-security-users@lists.sourceforge.net>
Subject: Re: [mod-security-users] Basic question regarding usage

On Wed, May 22, 2013 at 10:47 AM, Thomas Eckert <thomas.r.w.eckert@gmail.com> wrote:

Once I put rule 981176 as the very last rule overall mod_security started blocking the attacks and the log contains all matched rules. Is this the correct way of setting it up ? Do I really have to put rule 981176 as the very last rule specific to inbound requests ?

Hi Thomas,

That is correct. The CRS does this by using a numbering system in the file names.

--
 - Josh
 

Cheers,
  Thomas



On Tue, May 21, 2013 at 8:17 PM, Josh Amishav-Zlatin <jamuse@owasp.org> wrote:
On Tue, May 21, 2013 at 5:52 PM, Thomas Eckert <thomas.r.w.eckert@gmail.com> wrote:
Hi Josh,

My setup is kind of hard to explain because there are so many external components involved. Safe to say it's a non-standard setup but I am using the OWASP CRS, though only parts of it. Due to this setup I have no "modsecurity_crs_10_setup.conf" file but my equivalent (general mod_security config file) contains
    SecDefaultAction "phase:2,pass

I checked the rule with id=900004 and interestingly I found no equivalent in my configuration, at least nothing with "anomaly_score_blocking=on" in it. So I added the rule in my general config, exactly as shipped with the v2.2.7 owasp-crs. No change in behaviour though.

Hi Thomas,

I suggest increasing your debug log level to 9 for you to better understand what is happening. It sounds to me like rule 981176 isn't being executed, perhaps because you enabled anomaly_score_blocking too late in the processing.


Looking at owasp-crs/modsecurity_crs_10_setup.conf I saw
    SecDefaultAction "phase:1,deny,log"
so I changed my default action from pass to deny. It started blocking and the log only contains one message by mod_security about the matched rule before apache logs a 403. I *think* this matches the behaviour described by the documention in modsecurity_crs_10_setup.conf.example under "[[ Self-Contained Mode ]]" (line 86 in v2.2.7) where it states "The first rule that matches will block".
Still, simply changing a value is not gonna cut it, I'm afraid. I need to understand why this helps (if it does?).


When you set the default action to deny then the moment the first rule matches the rule inherits the default action and denies with a 403 response code. If you use anomaly mode then after a match the anomaly score is increased and ModSecurity continues processing the rest of the rules. Using the "classic" configuration, ModSecurity then makes a decision to block with a 403 response code or not based on the 49 config file (for inbound requests), assuming that that file is enabled and that the anomaly_score_blocking variable is set before rule 981176 is executed. Does that make sense?
 
Is there something specific I can look for in the audit log myself ? I'm hesitant to post the complete audit log

Section K is what you want to look at. Feel free to send me a sanitized version of the audit log privately if you want and I'll try to help.

--
 - Josh
 
.


On Tue, May 21, 2013 at 3:48 PM, Josh Amishav-Zlatin <jamuse@owasp.org> wrote:
On Tue, May 21, 2013 at 4:36 PM, Thomas Eckert <thomas.r.w.eckert@gmail.com> wrote:


This "worked" before (meaning it got blocked correctly), so I guess I forgot to adapt some configuration to match the upgrade to 2.7.3. Likely some variables/config data are not initialized propperly - maybe some threshold concerning the anomaly score ?


Hi Thomas,

Take a look at your modsecurity_crs_10_setup.conf config file, what is your SecDefaultAction directive set to? If your using anomaly scoring is rule 900004 enabled? If you provide us with an audit log (specifically section H and K) that would probably shed some light as to what the configuration error is exactly.

--
 - Josh 
 
Would someone please point me at the right place to read about this stuff ? As stated, I'm new to this and don't know where to start.

Thanks in advance!

Cheers,
  Thomas

------------------------------------------------------------------------------
Try New Relic Now & We'll Send You this Cool Shirt
New Relic is the only SaaS-based application performance monitoring service
that delivers powerful full stack analytics. Optimize and monitor your
browser, app, & servers with just a few lines of code. Try New Relic
and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_may
_______________________________________________
mod-security-users mailing list
mod-security-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/




------------------------------------------------------------------------------
Try New Relic Now & We'll Send You this Cool Shirt
New Relic is the only SaaS-based application performance monitoring service
that delivers powerful full stack analytics. Optimize and monitor your
browser, app, & servers with just a few lines of code. Try New Relic
and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_may
_______________________________________________
mod-security-users mailing list
mod-security-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/




------------------------------------------------------------------------------
Try New Relic Now & We'll Send You this Cool Shirt
New Relic is the only SaaS-based application performance monitoring service
that delivers powerful full stack analytics. Optimize and monitor your
browser, app, & servers with just a few lines of code. Try New Relic
and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_may
_______________________________________________
mod-security-users mailing list
mod-security-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/


------------------------------------------------------------------------------ Try New Relic Now & We'll Send You this Cool Shirt New Relic is the only SaaS-based application performance monitoring service that delivers powerful full stack analytics. Optimize and monitor your browser, app, & servers with just a few lines of code. Try New Relic and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_may_______________________________________________ mod-security-users mailing list mod-security-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/mod-security-users Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: http://www.modsecurity.org/projects/commercial/rules/ http://www.modsecurity.org/projects/commercial/support/