[mod-security-users] Dealing with False Positives
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
[mod-security-users] Dealing with False Positives
|
From: Jerry <gm...@ho...> - 2007-02-15 13:29:09
|
What's the best way to deal with false positives (for newbies)? Should a post be made here for each one? If a false positive is found how should it be dealt with? For now I just rem out the rule but is there an exclude option as with gotroot rules? Here's one to start off with: ModSecurity: Warning. Invalid URL Encoding: Non-hexadecimal digits used. [id "950107"] [msg "Encoding Abuse Attack Attempt"] [severity "WARNING"] [hostname "www.widgets.com"] [uri "/555/admin_reports_tracking.php?export=&order=ipaddress&way=asc&searchstr=successful+LIKE+%27%250%25%27&searchdisplay=SEARCH+CRITERIA%3A+Successful+login+like+%270%27&page=0&results=100"] [unique_id "vmuXX8Py7C4AAG6LB8wAAA22O"] This is from a membership management package. Rather than try and fix the rule which is causing the warning how can I just tell modsecurity to exclude admin_reports_tracking.php from triggering rule 950107 |
