Re: [mod-security-users] Testing modsecurity
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] Testing modsecurity
|
From: Chaim S. <ch...@ch...> - 2019-03-28 16:01:39
|
Just for your information, the order of rules is relevant, so you were loading CRS *before* turning on the engine, so the default applied. I assume by uncommenting crs-setup you placed that before the CRS includes and therefore the rule engine was on. Not a biggy, can be confusing - but we're here to help! Come join us on the CRS mailing lists if you have more questions :) https://groups.google.com/a/owasp.org/forum/#!forum/modsecurity-core-rule-set-project On Thu, Mar 28, 2019 at 10:57 AM Monah Baki <mon...@gm...> wrote: > Got it to block IP by uncommenting in crs-setup.conf > > > SecDefaultAction "phase:1,log,auditlog,deny,status:403" > SecDefaultAction "phase:2,log,auditlog,deny,status:403" > > > > > > On Mon, Mar 25, 2019 at 2:42 PM Chaim Sanders <ch...@ch...> > wrote: > >> You probably don't have the rule engine in the blocking state. Generally >> this means changing the SecRuleEngine directive to 'On'. For more details >> see >> https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-(v2.x)#SecRuleEngine. >> Let me know if that helps. >> >> On Mon, Mar 25, 2019 at 12:43 PM Monah Baki <mon...@gm...> wrote: >> >>> Hi all, >>> >>> Testing modsecurity, if I enter the IP address of the server, I get the >>> following: >>> >>> [Mon Mar 25 12:34:02.300806 2019] [:error] [pid 14540] [client >>> 192.168.1.11:57650] [client 192.168.1.11] ModSecurity: Warning. Pattern >>> match "^[\\\\d.:]+$" at REQUEST_HEADERS:Host. [file >>> "/etc/httpd/modsecurity.d/owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] >>> [line "798"] [id "920350"] [msg "Host header is a numeric IP address"] >>> [data "192.168.1.2"] [severity "WARNING"] [ver "OWASP_CRS/3.1.0"] [tag >>> "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag >>> "attack-protocol"] [tag "OWASP_CRS/PROTOCOL_VIOLATION/IP_HOST"] [tag >>> "WASCTC/WASC-21"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"] [hostname >>> "192.168.1.2"] [uri "/favicon.ico"] [unique_id "XJkC@tolWxi51pCyjt7yHwAAAAI"], >>> referer: http://192.168.1.2/ >>> >>> >>> I created a a test /etc/passwd in my root documentfolder, but I can >>> still access the file, I read on a website this would be a simple test, am >>> I missing something >>> >>> >>> Thanks >>> Monah >>> _______________________________________________ >>> mod-security-users mailing list >>> mod...@li... >>> https://lists.sourceforge.net/lists/listinfo/mod-security-users >>> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >>> http://www.modsecurity.org/projects/commercial/rules/ >>> http://www.modsecurity.org/projects/commercial/support/ >>> >> >> >> -- >> -- >> Chaim Sanders >> http://www.ChaimSanders.com >> _______________________________________________ >> mod-security-users mailing list >> mod...@li... >> https://lists.sourceforge.net/lists/listinfo/mod-security-users >> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >> http://www.modsecurity.org/projects/commercial/rules/ >> http://www.modsecurity.org/projects/commercial/support/ >> > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ > -- -- Chaim Sanders http://www.ChaimSanders.com |
