Re: [mod-security-users] Trying out "early blocking"
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] Trying out "early blocking"
|
From: Ervin H. <ai...@gm...> - 2025-05-12 08:43:23
|
Hi CM, I was able to check that with the "regular" build options (that I mentioned previously - Debian and Ubuntu feliver their packages with those options. Also I checked crs-setup.conf and enabled early blocking mechanism: https://github.com/coreruleset/coreruleset/blob/main/crs-setup.conf.example#L413-L421 I set up my config to use CRS on PL4 (to be sure that engine runs as many rules as possible). Then I sent a minimal but invalid request with telnet command: telnet localhost 80 Trying ::1... Connected to localhost. Escape character is '^]'. GET / HTTP/1.1 Host: 127.0.0.1 HTTP/1.1 200 OK Date: Mon, 12 May 2025 08:32:07 GMT Server: Apache/2.4.63 (Debian) Content-Length: 0 Errors in this request: * `Host` is an IP address - rule 920350 * `User-Agent` header is missing - rule 920320 These two rules collect 5 points which is enough to trigger rule 949111, which is responsible to deny the request in phase:1 https://github.com/coreruleset/coreruleset/blob/main/rules/REQUEST-949-BLOCKING-EVALUATION.conf#L212-L222 Here is the log: ModSecurity: Warning. Operator EQ matched 1 at TX:early_blocking. [file "/home/airween/src/coreruleset/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "221"] [id "949111"] [msg "Inbound Anomaly Score Exceeded in phase 1 (Total Score: 5)"] [ver "OWASP_CRS/4.15.0-dev"] (I get response 200 because the engine is in DetectionOnly mode, and this is why you see "ModSecurity: Warning", and not "Access Denied) I think early blocking works as we expected. Please check your config again - hope this summary helps you. Regards, a. |
