Re: [mod-security-users] crs ruleset and trace method?

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

That's a reasonable suggestion. Would you mind making a pull request
with your proposed wording?

Best,

Christian

On Wed, Mar 21, 2018 at 12:50:19PM +0200, Eero Volotinen wrote:
> Well,
> 
> Maybe it's time to fix documentation:
> 
> # HTTP methods that a client is allowed to use.
> # Default: GET HEAD POST OPTIONS
> # Example: for RESTful APIs, add the following methods: PUT PATCH DELETE
> # Example: for WebDAV, add the following methods: CHECKOUT COPY DELETE LOCK
> #          MERGE MKACTIVITY MKCOL MOVE PROPFIND PROPPATCH PUT UNLOCK
> # Uncomment this rule to change the default.
> SecAction \
>  "id:900200,\
>   phase:1,\
>   nolog,\
>   pass,\
>  t:none,\
>   setvar:'tx.allowed_methods=GET POST'"
> 
> It's not working as expected. How about saying that rules is not blocking
> trace method?
> 
> Eero
> 
> 
> 
> On Wed, Mar 21, 2018 at 12:25 PM, Reindl Harald <h.r...@th...>
> wrote:
> 
> >
> >
> > Am 21.03.2018 um 11:11 schrieb Eero Volotinen:
> >
> >> Not enought familiar with modsecurity.
> >>
> >> Just wondering, that there is no any rule to block trace in crs. is there
> >> easy way to implement that?
> >>
> >
> > why would someone do that when you can and should disable it entirely on
> > your webserver? i guess you are coming from OpenVAS warnings but then also
> > search for options to disable thins proper instead burry them within a
> > firewall layer
> >
> > [root@srv-rhsoft:~]$ cat conf/httpd-core.conf | grep Trace
> > TraceEnable Off
> >
> > On Wed, Mar 21, 2018 at 11:53 AM, Christian Folini <
> >> chr...@ne... <mailto:chr...@ne...>> wrote:
> >>
> >>     Hey Eero,
> >>
> >>     The TRACE method is somewhat special. At least in Apache. The request
> >>     skips phase 2 and thus the CRS rule covering tx.allowed_methods.
> >>
> >>     There are discussions to move this block of rules to phase 1 though.
> >>     https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/1015
> >>     <https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/1015>
> >>
> >>     You may want to chime in there.
> >>
> >>     Ahoj,
> >>
> >>     Christian
> >>
> >>     On Wed, Mar 21, 2018 at 09:15:52AM +0200, Eero Volotinen wrote:
> >>      > Hi,
> >>      >
> >>      > Just noticed that crs ruleset is not blocking trace method, even
> >>      > setvar:'tx.allowed_methods=GET POST'"
> >>      >
> >>      > Is this a bug?
> >>
> >
> > ------------------------------------------------------------
> > ------------------
> > Check out the vibrant tech community on one of the world's most
> > engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> > _______________________________________________
> > mod-security-users mailing list
> > mod...@li...
> > https://lists.sourceforge.net/lists/listinfo/mod-security-users
> > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> > http://www.modsecurity.org/projects/commercial/rules/
> > http://www.modsecurity.org/projects/commercial/support/
> >

> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot

> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> http://www.modsecurity.org/projects/commercial/rules/
> http://www.modsecurity.org/projects/commercial/support/

-- 
https://www.feistyduck.com/training/modsecurity-training-course
https://www.feistyduck.com/books/modsecurity-handbook/
mailto:chr...@ne...
twitter: @ChrFolini