Re: [mod-security-users] crs ruleset and trace method?

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Am 21.03.2018 um 11:11 schrieb Eero Volotinen:
> Not enought familiar with modsecurity.
> 
> Just wondering, that there is no any rule to block trace in crs. is 
> there easy way to implement that?

why would someone do that when you can and should disable it entirely on 
your webserver? i guess you are coming from OpenVAS warnings but then 
also search for options to disable thins proper instead burry them 
within a firewall layer

[root@srv-rhsoft:~]$ cat conf/httpd-core.conf | grep Trace
TraceEnable Off

> On Wed, Mar 21, 2018 at 11:53 AM, Christian Folini 
> <chr...@ne... <mailto:chr...@ne...>> wrote:
> 
>     Hey Eero,
> 
>     The TRACE method is somewhat special. At least in Apache. The request
>     skips phase 2 and thus the CRS rule covering tx.allowed_methods.
> 
>     There are discussions to move this block of rules to phase 1 though.
>     https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/1015
>     <https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/1015>
> 
>     You may want to chime in there.
> 
>     Ahoj,
> 
>     Christian
> 
>     On Wed, Mar 21, 2018 at 09:15:52AM +0200, Eero Volotinen wrote:
>      > Hi,
>      >
>      > Just noticed that crs ruleset is not blocking trace method, even
>      > setvar:'tx.allowed_methods=GET POST'"
>      >
>      > Is this a bug?