Re: [mod-security-users] Issue with whitelisting rule CRS

[Christian F. <chr...@ne...>]

Hey Marcello,

The file mentioned in your alert message points to a CRS rule, however, the
ID 22 does not. There is no rule with ID 22 in the CRS. Also the unique_id
looks a bit odd and an empty hostname...

I can not really tell what's happening here.

Ahoj,

Christian

On Mon, May 21, 2018 at 11:20:37AM +0200, Marcello Lorenzi wrote:
> Hi Users,
> we are testing mod_security on a Nginx 1.12.2 version on our development
> environment and we installed the mod_security 2.9.2 with the OWASP CRS
> 3.0.2. Into our error_log we noticed this error repeated:
> 
> 2018/05/21 09:13:41 [error] 247#247: [client 10.0.0.1] ModSecurity:
> Warning. Pattern match "(.*)" at REQUEST_URI. [file
> "/usr/local/nginx/conf/crs-rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"]
> [line "500"] [id "22"] [msg "got /cp"] [hostname ""] [uri "/pub/test.html"]
> [unique_id "ALAcAchiAcAcAcAcAVAcAcAG"]
> 
> We configure the file RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf  to skip
> the rule with SecRuleRemoveById related to the rule ID, but the entries are
> present into the error_log.
> 
> Could you confirm if the configuration permits the contents and logs the
> entry? Is it possible to remove also the logging phase?
> 
> Thanks in advance,
> Marcello

> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot

> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> http://www.modsecurity.org/projects/commercial/rules/
> http://www.modsecurity.org/projects/commercial/support/


-- 
https://www.feistyduck.com/training/modsecurity-training-course
https://www.feistyduck.com/books/modsecurity-handbook/
mailto:chr...@ne...
twitter: @ChrFolini