Re: [mod-security-users] Info update rules CRS OWASP
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] Info update rules CRS OWASP
|
From: Christian F. <chr...@ne...> - 2018-12-12 20:03:26
|
Hello Marcello, On Wed, Dec 12, 2018 at 06:05:52PM +0100, Marcello Lorenzi wrote: > thanks for the response. I read your tutorial but ideally we have to put > the removal and update of the new rule into RESPONSE-999-EXCLUSION-RULES- > AFTER-CRS.conf? Yes, my tutorials assume a different file layout, but if you stick to what the official CRS distribution suggests - and it's not that bad for a production system :) - then that's the file where you want to remove the rule: Remove at startup time _after_ the declaration of the rule. Defining it anew is a bit more tricky. If it is targeting a request it needs to run before the rule 949110 runs, because that's the rule that does the blocking decision in anomaly scoring mode, which is the default, in phase 2. So if it is a phase:1 rule, then 999 is fine. But if it is a phase:2 rule, you should define it in the 900 rule exclusion file. But only if it is phase:2. If it's phase:1, that's too early. Sorry this is so complicated ... And good luck! Christian > > Thanks, > Marcello > > On Wed, Dec 12, 2018 at 5:53 PM Christian Folini < > chr...@ne...> wrote: > > > Hey Marcello, > > > > That's very tricky or impossible at all. > > > > People generally write a rule exclusion for a false positive that > > skips the rule under certain conditions or they drop the rule and > > add it anew in a different form (like you have in mind). > > > > If you are unfamiliar with the handling of false positives, I suggest > > you read through my tutorials at https://netnea.com/apache-tutorials. > > > > Best, > > > > Christian > > > > > > On Wed, Dec 12, 2018 at 05:40:52PM +0100, Marcello Lorenzi wrote: > > > Hi All, > > > we have configured a Nginx webserver with mod_security 2.9.2 and OWASP > > CRS > > > 3.0.2 and during our tests we noticed that some rules blocked some > > requests > > > from external clients. We would update the rule with ID 920420 adding the > > > POST method into the SecRule section without rewriting the entire rule. > > > > > > Is it possible to override only a little part of a rule in a clean way? > > > > > > Thanks, > > > Marcello > > > > > > > _______________________________________________ > > > mod-security-users mailing list > > > mod...@li... > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > > > http://www.modsecurity.org/projects/commercial/rules/ > > > http://www.modsecurity.org/projects/commercial/support/ > > > > > > > > _______________________________________________ > > mod-security-users mailing list > > mod...@li... > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > > http://www.modsecurity.org/projects/commercial/rules/ > > http://www.modsecurity.org/projects/commercial/support/ > > > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ |
