[mod-security-users] Rule exception for specific hosts
Brought to you by:
victorhora,
zimmerletw
From: Jan P. G. <jg...@so...> - 2013-05-24 12:40:22
|
Hi there, I'm relatively new to mod_security, so sorry for maybe dumb questions. I've built and installed mod_security2 2.7.3 on my webserver, included it with the OWASP CRS 2.2.7. So far no problems, it is running with the recommended configuration on "DETECTION_ONLY". Now i try to correct false positives, so as the following one: My nagios-server (Service observation) is checking if my robots.txt is readable. This gives an audit-warning because of missing Accept Header. (Audit-Log on the bottom) I tried to create a rule especially for this host, which deactivates the problem-rule: SecRule REMOTE_ADDR "@ipMatch 10.0.0.2" "chain,phase:2,id:'1001',t:none,pass,nolog" SecRule REQUEST_HEADERS:User-Agent "^check_http.*\(nagios-plugins.*\)$" "t:none,ctl:ruleRemoveById=960015" Unfortunately it doesn't work. :( Maybe some experienced user could help me with this, thanks! Best regards, Jan Phillip Greimann ----------------------------------------------------------- --1e454857-A-- [24/May/2013:13:38:20 +0200] UZ9RLH8AAQEAAHWYQmUAAAAT 10.0.0.2 48846 10.0.3.100 443 --1e454857-B-- GET /robots.txt HTTP/1.1 User-Agent: check_http/v1.4.15 (nagios-plugins 1.4.15) Connection: close Host: test.domain.invalid --1e454857-E-- User-agent: * Allow: / --1e454857-F-- HTTP/1.1 200 OK Last-Modified: Mon, 29 Aug 2011 12:38:46 GMT Accept-Ranges: bytes Content-Length: 70 Vary: Accept-Encoding Connection: close Content-Type: text/plain; charset=utf-8 --1e454857-H-- Message: Warning. Operator EQ matched 0 at REQUEST_HEADERS. [file "/etc/apache2/modsecurity.d/modsecurity_crs_21_protocol_anomalies.conf"] [line "47"] [id "960015"] [rev "1"] [msg "Request Missing an Accept Header"] [severity "NOTICE"] [ver "OWASP_CRS/2.2.7"] [maturity "9"] [accuracy "9"] [tag "OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER_ACCEPT"] [tag "WASCTC/WASC-21"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"] Message: Warning. Operator LT matched 5 at TX:inbound_anomaly_score. [file "/etc/apache2/modsecurity.d/modsecurity_crs_60_correlation.conf"] [line "33"] [id "981203"] [msg "Inbound Anomaly Score (Total Inbound Score: 2, SQLi=0, XSS=0): Request Missing an Accept Header"] Stopwatch: 1369395500250834 2204 (- - -) Stopwatch2: 1369395500250834 2204; combined=1203, p1=323, p2=571, p3=14, p4=137, p5=147, sr=84, sw=11, l=0, gc=0 Response-Body-Transformed: Dechunked Producer: ModSecurity for Apache/2.7.3 (http://www.modsecurity.org/); OWASP_CRS/2.2.7. Server: Apache Engine-Mode: "DETECTION_ONLY" --1e454857-Z-- |