Re: [mod-security-users] Testing modsecurity

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

I am still able to access the site via IP address
even though my config file are as follows:

My modsecurity.conf file

<IfModule mod_security2.c>
    # ModSecurity Core Rules Set configuration
        IncludeOptional modsecurity.d/owasp-modsecurity-crs/*.conf
        IncludeOptional modsecurity.d/owasp-modsecurity-crs/rules/*.conf

    # Default recommended configuration
    SecRuleEngine On
    SecRequestBodyAccess On
    SecStatusEngine On
    SecRequestBodyLimit 13107200

One of the rules that it's firing on

SecRule REQUEST_HEADERS:Host "@rx ^[\d.:]+$" \
    "id:920350,\
    phase:2,\
    block,\
    t:none,\
    msg:'Host header is a numeric IP address',\
    logdata:'%{MATCHED_VAR}',\
    tag:'application-multi',\
    tag:'language-multi',\
    tag:'platform-multi',\
    tag:'attack-protocol',\
    tag:'OWASP_CRS/PROTOCOL_VIOLATION/IP_HOST',\
    tag:'WASCTC/WASC-21',\
    tag:'OWASP_TOP_10/A7',\
    tag:'PCI/6.5.10',\
    ver:'OWASP_CRS/3.1.0',\
    severity:'WARNING',\
    setvar:'tx.msg=%{rule.msg}',\
    setvar:'tx.anomaly_score_pl1=+%{tx.warning_anomaly_score}',\
    setvar:'tx.%{rule.id
}-OWASP_CRS/POLICY/IP_HOST-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'"

Thanks
Monah

On Mon, Mar 25, 2019 at 2:42 PM Chaim Sanders <ch...@ch...>
wrote:

> You probably don't have the rule engine in the blocking state. Generally
> this means changing the SecRuleEngine directive to 'On'. For more details
> see
> https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-(v2.x)#SecRuleEngine.
> Let me know if that helps.
>
> On Mon, Mar 25, 2019 at 12:43 PM Monah Baki <mon...@gm...> wrote:
>
>> Hi all,
>>
>> Testing modsecurity, if I enter the IP address of the server, I get the
>> following:
>>
>> [Mon Mar 25 12:34:02.300806 2019] [:error] [pid 14540] [client
>> 192.168.1.11:57650] [client 192.168.1.11] ModSecurity: Warning. Pattern
>> match "^[\\\\d.:]+$" at REQUEST_HEADERS:Host. [file
>> "/etc/httpd/modsecurity.d/owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"]
>> [line "798"] [id "920350"] [msg "Host header is a numeric IP address"]
>> [data "192.168.1.2"] [severity "WARNING"] [ver "OWASP_CRS/3.1.0"] [tag
>> "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag
>> "attack-protocol"] [tag "OWASP_CRS/PROTOCOL_VIOLATION/IP_HOST"] [tag
>> "WASCTC/WASC-21"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"] [hostname
>> "192.168.1.2"] [uri "/favicon.ico"] [unique_id "XJkC@tolWxi51pCyjt7yHwAAAAI"],
>> referer: http://192.168.1.2/
>>
>>
>> I created a a test /etc/passwd in my root documentfolder, but I can still
>> access the file, I read on a website this would be a simple test, am I
>> missing something
>>
>>
>> Thanks
>> Monah
>> _______________________________________________
>> mod-security-users mailing list
>> mod...@li...
>> https://lists.sourceforge.net/lists/listinfo/mod-security-users
>> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
>> http://www.modsecurity.org/projects/commercial/rules/
>> http://www.modsecurity.org/projects/commercial/support/
>>
>
>
> --
> --
> Chaim Sanders
> http://www.ChaimSanders.com
> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> http://www.modsecurity.org/projects/commercial/rules/
> http://www.modsecurity.org/projects/commercial/support/
>