Re: [mod-security-users] Testing modsecurity
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] Testing modsecurity
|
From: Felipe R. <fel...@gm...> - 2019-03-28 22:07:51
|
read this article. https://www.modsecurity.org/CRS/Documentation/anomaly.html tx.warning_anomaly_score = 3 *rule that was trigged* tx.inbound_anomaly_score_threshold=5 *default* you still less than minimum to fire deny action. Don't need to change SecDefaultAction, If you change this like you did, every rule that matches will be deny. On Thu, Mar 28, 2019 at 1:05 PM Chaim Sanders <ch...@ch...> wrote: > Just for your information, the order of rules is relevant, so you were > loading CRS *before* turning on the engine, so the default applied. I > assume by uncommenting crs-setup you placed that before the CRS includes > and therefore the rule engine was on. Not a biggy, can be confusing - but > we're here to help! Come join us on the CRS mailing lists if you have more > questions :) > > > https://groups.google.com/a/owasp.org/forum/#!forum/modsecurity-core-rule-set-project > > > On Thu, Mar 28, 2019 at 10:57 AM Monah Baki <mon...@gm...> wrote: > >> Got it to block IP by uncommenting in crs-setup.conf >> >> >> SecDefaultAction "phase:1,log,auditlog,deny,status:403" >> SecDefaultAction "phase:2,log,auditlog,deny,status:403" >> >> >> >> >> >> On Mon, Mar 25, 2019 at 2:42 PM Chaim Sanders <ch...@ch...> >> wrote: >> >>> You probably don't have the rule engine in the blocking state. Generally >>> this means changing the SecRuleEngine directive to 'On'. For more details >>> see >>> https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-(v2.x)#SecRuleEngine. >>> Let me know if that helps. >>> >>> On Mon, Mar 25, 2019 at 12:43 PM Monah Baki <mon...@gm...> wrote: >>> >>>> Hi all, >>>> >>>> Testing modsecurity, if I enter the IP address of the server, I get the >>>> following: >>>> >>>> [Mon Mar 25 12:34:02.300806 2019] [:error] [pid 14540] [client >>>> 192.168.1.11:57650] [client 192.168.1.11] ModSecurity: Warning. >>>> Pattern match "^[\\\\d.:]+$" at REQUEST_HEADERS:Host. [file >>>> "/etc/httpd/modsecurity.d/owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] >>>> [line "798"] [id "920350"] [msg "Host header is a numeric IP address"] >>>> [data "192.168.1.2"] [severity "WARNING"] [ver "OWASP_CRS/3.1.0"] [tag >>>> "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag >>>> "attack-protocol"] [tag "OWASP_CRS/PROTOCOL_VIOLATION/IP_HOST"] [tag >>>> "WASCTC/WASC-21"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"] [hostname >>>> "192.168.1.2"] [uri "/favicon.ico"] [unique_id "XJkC@tolWxi51pCyjt7yHwAAAAI"], >>>> referer: http://192.168.1.2/ >>>> >>>> >>>> I created a a test /etc/passwd in my root documentfolder, but I can >>>> still access the file, I read on a website this would be a simple test, am >>>> I missing something >>>> >>>> >>>> Thanks >>>> Monah >>>> _______________________________________________ >>>> mod-security-users mailing list >>>> mod...@li... >>>> https://lists.sourceforge.net/lists/listinfo/mod-security-users >>>> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >>>> http://www.modsecurity.org/projects/commercial/rules/ >>>> http://www.modsecurity.org/projects/commercial/support/ >>>> >>> >>> >>> -- >>> -- >>> Chaim Sanders >>> http://www.ChaimSanders.com >>> _______________________________________________ >>> mod-security-users mailing list >>> mod...@li... >>> https://lists.sourceforge.net/lists/listinfo/mod-security-users >>> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >>> http://www.modsecurity.org/projects/commercial/rules/ >>> http://www.modsecurity.org/projects/commercial/support/ >>> >> _______________________________________________ >> mod-security-users mailing list >> mod...@li... >> https://lists.sourceforge.net/lists/listinfo/mod-security-users >> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >> http://www.modsecurity.org/projects/commercial/rules/ >> http://www.modsecurity.org/projects/commercial/support/ >> > > > -- > -- > Chaim Sanders > http://www.ChaimSanders.com > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ > |
