Re: [mod-security-users] Adjust Anomaly Threshold on Cookies?
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] Adjust Anomaly Threshold on Cookies?
|
From: leon m. <mig...@ya...> - 2018-01-08 10:44:13
|
That's fantastic, thank you! I'll do both those things!
Leon
On Monday, 8 January 2018, 10:02, Christian Folini <chr...@ne...> wrote:
Hey Leon,
Your rule id point to an outdated version of the Core Rule Set (2.2.x)
I suggest you update to the Core Rule Set 3.0.2 version and the alerts
should disappear as the rules in question are no longer part of the
default installation.
It is generally possible to exclude individual cookies from a given rule.
But the syntax is slightly different from the one you presented. I suggest
you follow the tutorial about the handling of false positives at
https://www.netnea.com/cms/apache-tutorial-8_handling-false-positives-modsecurity-core-rule-set/
Good luck!
Christian
On Mon, Jan 08, 2018 at 09:48:50AM +0000, leon matthews via mod-security-users wrote:
> Despite a ton of Googling, reading the Modsecurity Handbook and trial
> and error I still can't figure out if I can adjust sensitivity to
> specific rules on specific cookies.
> Our false positives seem to be caused by rules 981260 and 981231
> finding matches in the XSRF token cookies automatically made by our
> website's framework. I can disable the rules for the cookies, but I'd
> like to know if I can just make the existing ones less sensitive for
> specific cookie names so there's still some security in place.
> The following rule crashes with the error 'Rules must have at least id
> action'
> SecRule REQUEST_COOKIES:EXAMPLE-NAME
> "phase:2,id:108,t:none,setvar:tx.inbound_anomaly_score_level=25,pass,lo
> g"
> What's the best way to handle these cookies or this situation?
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> http://www.modsecurity.org/projects/commercial/rules/
> http://www.modsecurity.org/projects/commercial/support/
--
https://www.feistyduck.com/training/modsecurity-training-course
https://www.feistyduck.com/books/modsecurity-handbook/
mailto:chr...@ne...
twitter: @ChrFolini
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
mod-security-users mailing list
mod...@li...
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/
|
