Re: [mod-security-users] Trying out "early blocking"

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

But the purpose of early blocking is to block requests that Apache would have otherwise redirected, is it not?

Your 200 OK implies that there's no redirection in place, so even though your log claimed that early blocking happened (my logs claim that too), it's insufficient to prove that the redirect-prevention functionality is actually functioning.

What I'm seeing is that even though the logs claim early blocking is happening, Apache is still able to perform redirects as normal on those requests.

Refer to attached auditlog1.txt where a score-14 request is answered with a 308 redirect to another site even though the log claims "Access denied with code 403 (phase 1)"  (you won't see all the rules it matched because I put noauditlog on some of the 3-point rules, in total it violated 3 3-point rules (noauditlog'd) and 1 5-point rule, for a total score of 14)

after doing some additional testing, this seems to be an incompatibility between early blocking and Apache's "ErrorDocument 403" directive.  If I disable "ErrorDocument 403" then early blocking is actually able to prevent redirects but I don't really want to do that.  "ErrorDocument" when pointing to an internal URL is supposed to do a transparent, internal rewrite rather than a redirect, but it sometimes has weird esoteric interactions and incompatibilities, and it appears incompatibility with early blocking is one of them

so my next thought was to try to do early blocking with something other than a 403, using some code I don't have an ErrorDocument for, such as a 429

So I go to RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf and try to modify early blocking rule 949111 like this:

SecRuleUpdateActionById 949111 "t:none,deny,status:429"

but this breaks my entire server and causes **all** requests to be rejected with a 429, even score-0 requests

see attached auditlog2.txt where a perfect score-0 request is rejected with a 429

Message: Access denied with code 429 (phase 1). [file "/usr/local/coreruleset/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "221"] [id "949111"] [msg "Inbound Anomaly Score Exceeded in phase 1 (Total Score: 0)"] [ver "OWASP_CRS/4.14.0"] [tag "anomaly-evaluation"] [tag "OWASP_CRS"]

So I'm at a loss about how to proceed from here, other than turning off early blocking, and probably going back to an older CRS version, since my only reason for testing out CRS4 was because I thought I would be able to get early blocking to work.

Sent with Proton Mail secure email.

On Monday, May 12th, 2025 at 3:43 AM, Ervin Hegedüs <ai...@gm...> wrote:

> Hi CM,
> 
> I was able to check that with the "regular" build options (that I
> mentioned previously - Debian and Ubuntu feliver their packages
> with those options.
> 
> Also I checked crs-setup.conf and enabled early blocking
> mechanism:
> 
> https://github.com/coreruleset/coreruleset/blob/main/crs-setup.conf.example#L413-L421
> 
> I set up my config to use CRS on PL4 (to be sure that engine runs
> as many rules as possible).
> 
> Then I sent a minimal but invalid request with telnet command:
> 
> telnet localhost 80
> Trying ::1...
> Connected to localhost.
> Escape character is '^]'.
> GET / HTTP/1.1
> Host: 127.0.0.1
> 
> HTTP/1.1 200 OK
> Date: Mon, 12 May 2025 08:32:07 GMT
> Server: Apache/2.4.63 (Debian)
> Content-Length: 0
> 
> Errors in this request:
> * `Host` is an IP address - rule 920350
> * `User-Agent` header is missing - rule 920320
> 
> These two rules collect 5 points which is enough to trigger rule
> 949111, which is responsible to deny the request in phase:1
> 
> https://github.com/coreruleset/coreruleset/blob/main/rules/REQUEST-949-BLOCKING-EVALUATION.conf#L212-L222
> 
> Here is the log:
> 
> ModSecurity: Warning. Operator EQ matched 1 at TX:early_blocking. [file "/home/airween/src/coreruleset/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "221"] [id "949111"] [msg "Inbound Anomaly Score Exceeded in phase 1 (Total Score: 5)"] [ver "OWASP_CRS/4.15.0-dev"]
> 
> (I get response 200 because the engine is in DetectionOnly mode,
> and this is why you see "ModSecurity: Warning", and not "Access
> Denied)
> 
> I think early blocking works as we expected.
> 
> 
> Please check your config again - hope this summary helps you.
> 
> 
> Regards,
> 
> 
> a.