Re: [mod-security-users] Adjust Anomaly Threshold on Cookies?
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] Adjust Anomaly Threshold on Cookies?
|
From: Christian F. <chr...@ne...> - 2018-01-08 10:02:19
|
Hey Leon, Your rule id point to an outdated version of the Core Rule Set (2.2.x) I suggest you update to the Core Rule Set 3.0.2 version and the alerts should disappear as the rules in question are no longer part of the default installation. It is generally possible to exclude individual cookies from a given rule. But the syntax is slightly different from the one you presented. I suggest you follow the tutorial about the handling of false positives at https://www.netnea.com/cms/apache-tutorial-8_handling-false-positives-modsecurity-core-rule-set/ Good luck! Christian On Mon, Jan 08, 2018 at 09:48:50AM +0000, leon matthews via mod-security-users wrote: > Despite a ton of Googling, reading the Modsecurity Handbook and trial > and error I still can't figure out if I can adjust sensitivity to > specific rules on specific cookies. > Our false positives seem to be caused by rules 981260 and 981231 > finding matches in the XSRF token cookies automatically made by our > website's framework. I can disable the rules for the cookies, but I'd > like to know if I can just make the existing ones less sensitive for > specific cookie names so there's still some security in place. > The following rule crashes with the error 'Rules must have at least id > action' > SecRule REQUEST_COOKIES:EXAMPLE-NAME > "phase:2,id:108,t:none,setvar:tx.inbound_anomaly_score_level=25,pass,lo > g" > What's the best way to handle these cookies or this situation? > ------------------------------------------------------------------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ -- https://www.feistyduck.com/training/modsecurity-training-course https://www.feistyduck.com/books/modsecurity-handbook/ mailto:chr...@ne... twitter: @ChrFolini |
