Re: [mod-security-users] Issue with whitelisting rule CRS
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] Issue with whitelisting rule CRS
|
From: Marcello L. <ce...@gm...> - 2018-05-22 06:57:44
|
Hi Christian, we found an issue into the CRS 3.0.2 version https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/773 and the rule with id 22 is a debug rule not expected. We have fixed it with a specific rule. Marcello On Tue, May 22, 2018 at 5:45 AM, Christian Folini < chr...@ne...> wrote: > Hey Marcello, > > The file mentioned in your alert message points to a CRS rule, however, the > ID 22 does not. There is no rule with ID 22 in the CRS. Also the unique_id > looks a bit odd and an empty hostname... > > I can not really tell what's happening here. > > Ahoj, > > Christian > > On Mon, May 21, 2018 at 11:20:37AM +0200, Marcello Lorenzi wrote: > > Hi Users, > > we are testing mod_security on a Nginx 1.12.2 version on our development > > environment and we installed the mod_security 2.9.2 with the OWASP CRS > > 3.0.2. Into our error_log we noticed this error repeated: > > > > 2018/05/21 09:13:41 [error] 247#247: [client 10.0.0.1] ModSecurity: > > Warning. Pattern match "(.*)" at REQUEST_URI. [file > > "/usr/local/nginx/conf/crs-rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] > > [line "500"] [id "22"] [msg "got /cp"] [hostname ""] [uri > "/pub/test.html"] > > [unique_id "ALAcAchiAcAcAcAcAVAcAcAG"] > > > > We configure the file RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf to > skip > > the rule with SecRuleRemoveById related to the rule ID, but the entries > are > > present into the error_log. > > > > Could you confirm if the configuration permits the contents and logs the > > entry? Is it possible to remove also the logging phase? > > > > Thanks in advance, > > Marcello > > > ------------------------------------------------------------ > ------------------ > > Check out the vibrant tech community on one of the world's most > > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > > > _______________________________________________ > > mod-security-users mailing list > > mod...@li... > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > > http://www.modsecurity.org/projects/commercial/rules/ > > http://www.modsecurity.org/projects/commercial/support/ > > > -- > https://www.feistyduck.com/training/modsecurity-training-course > https://www.feistyduck.com/books/modsecurity-handbook/ > mailto:chr...@ne... > twitter: @ChrFolini > > ------------------------------------------------------------ > ------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ > |
