[mod-security-users] Trying out "early blocking"
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
[mod-security-users] Trying out "early blocking"
|
From: CM <ne...@pr...> - 2025-05-08 21:46:00
|
I am testing out the latest CRS 4.14 because I was interested in the "early blocking" feature I am using Ubuntu 24.04 using its libapache2-mod-security2 package (version 2.9.7-1build3) I believe this version of modsecurity should be sufficient for running the latest CRS, however, I get various strange behaviors when turning on early blocking. As I understand it, modsecurity has a "--enable-request-early" compile flag that needs to be turned on, however, I'm not sure how to tell if my mod_security2.so was compiled with this option or not. My hypothesis is that because Ubuntu does not ship CRS 4.x yet, they might be compiling modsecurity with this functionality disabled. I had an idea to try the libapache2-mod-security2 package from Ubuntu 25.04 (which would give me 2.9.8) however I haven't done so yet. Is there a way to examine my mod_security2.so to determine if it was compiled with early blocking support or not? Here are some of the odd behaviors I'm encountering: - With early blocking enabled, requests that trigger an Apache redirect still get redirected, even though the audit log shows that they should have been blocked: --992be21d-F-- HTTP/1.1 308 Permanent Redirect ... --992be21d-H-- Message: Access denied with code 403 (phase 1). [file "/usr/local/coreruleset/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "221"] [id "949111"] [msg "Inbound Anomaly Score Exceeded in phase 1 (Total Score: 12)"] [ver "OWASP_CRS/4.14.0"] [tag "anomaly-evaluation"] [tag "OWASP_CRS"]Action: Intercepted (phase 1) - If I try to update rule 949111 to do anything other than a 403, then that action gets applied to ALL requests, not just blocks, for example with this: SecRuleUpdateActionById 949111 "status:404" then even requests with an anomaly score of ZERO get blocked: Message: Access denied with code 404 (phase 1). [file "/usr/local/coreruleset/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "221"] [id "949111"] [msg "Inbound Anomaly Score Exceeded in phase 1 (Total Score: 0)"] [ver "OWASP_CRS/4.14.0"] [tag "anomaly-evaluation"] [tag "OWASP_CRS"] but if I don't modify 949111, then this doesn't happen Sent with [Proton Mail](https://proton.me/mail/home) secure email. |
