Thread: [mod-security-users] Issue with whitelisting rule CRS
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
mod-security-users
|
From: Marcello L. <ce...@gm...> - 2018-05-21 09:20:46
|
Hi Users, we are testing mod_security on a Nginx 1.12.2 version on our development environment and we installed the mod_security 2.9.2 with the OWASP CRS 3.0.2. Into our error_log we noticed this error repeated: 2018/05/21 09:13:41 [error] 247#247: [client 10.0.0.1] ModSecurity: Warning. Pattern match "(.*)" at REQUEST_URI. [file "/usr/local/nginx/conf/crs-rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "500"] [id "22"] [msg "got /cp"] [hostname ""] [uri "/pub/test.html"] [unique_id "ALAcAchiAcAcAcAcAVAcAcAG"] We configure the file RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf to skip the rule with SecRuleRemoveById related to the rule ID, but the entries are present into the error_log. Could you confirm if the configuration permits the contents and logs the entry? Is it possible to remove also the logging phase? Thanks in advance, Marcello |
|
From: Christian F. <chr...@ne...> - 2018-05-22 03:45:57
|
Hey Marcello, The file mentioned in your alert message points to a CRS rule, however, the ID 22 does not. There is no rule with ID 22 in the CRS. Also the unique_id looks a bit odd and an empty hostname... I can not really tell what's happening here. Ahoj, Christian On Mon, May 21, 2018 at 11:20:37AM +0200, Marcello Lorenzi wrote: > Hi Users, > we are testing mod_security on a Nginx 1.12.2 version on our development > environment and we installed the mod_security 2.9.2 with the OWASP CRS > 3.0.2. Into our error_log we noticed this error repeated: > > 2018/05/21 09:13:41 [error] 247#247: [client 10.0.0.1] ModSecurity: > Warning. Pattern match "(.*)" at REQUEST_URI. [file > "/usr/local/nginx/conf/crs-rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] > [line "500"] [id "22"] [msg "got /cp"] [hostname ""] [uri "/pub/test.html"] > [unique_id "ALAcAchiAcAcAcAcAVAcAcAG"] > > We configure the file RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf to skip > the rule with SecRuleRemoveById related to the rule ID, but the entries are > present into the error_log. > > Could you confirm if the configuration permits the contents and logs the > entry? Is it possible to remove also the logging phase? > > Thanks in advance, > Marcello > ------------------------------------------------------------------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ -- https://www.feistyduck.com/training/modsecurity-training-course https://www.feistyduck.com/books/modsecurity-handbook/ mailto:chr...@ne... twitter: @ChrFolini |
|
From: Marcello L. <ce...@gm...> - 2018-05-22 06:57:44
|
Hi Christian, we found an issue into the CRS 3.0.2 version https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/773 and the rule with id 22 is a debug rule not expected. We have fixed it with a specific rule. Marcello On Tue, May 22, 2018 at 5:45 AM, Christian Folini < chr...@ne...> wrote: > Hey Marcello, > > The file mentioned in your alert message points to a CRS rule, however, the > ID 22 does not. There is no rule with ID 22 in the CRS. Also the unique_id > looks a bit odd and an empty hostname... > > I can not really tell what's happening here. > > Ahoj, > > Christian > > On Mon, May 21, 2018 at 11:20:37AM +0200, Marcello Lorenzi wrote: > > Hi Users, > > we are testing mod_security on a Nginx 1.12.2 version on our development > > environment and we installed the mod_security 2.9.2 with the OWASP CRS > > 3.0.2. Into our error_log we noticed this error repeated: > > > > 2018/05/21 09:13:41 [error] 247#247: [client 10.0.0.1] ModSecurity: > > Warning. Pattern match "(.*)" at REQUEST_URI. [file > > "/usr/local/nginx/conf/crs-rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] > > [line "500"] [id "22"] [msg "got /cp"] [hostname ""] [uri > "/pub/test.html"] > > [unique_id "ALAcAchiAcAcAcAcAVAcAcAG"] > > > > We configure the file RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf to > skip > > the rule with SecRuleRemoveById related to the rule ID, but the entries > are > > present into the error_log. > > > > Could you confirm if the configuration permits the contents and logs the > > entry? Is it possible to remove also the logging phase? > > > > Thanks in advance, > > Marcello > > > ------------------------------------------------------------ > ------------------ > > Check out the vibrant tech community on one of the world's most > > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > > > _______________________________________________ > > mod-security-users mailing list > > mod...@li... > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > > http://www.modsecurity.org/projects/commercial/rules/ > > http://www.modsecurity.org/projects/commercial/support/ > > > -- > https://www.feistyduck.com/training/modsecurity-training-course > https://www.feistyduck.com/books/modsecurity-handbook/ > mailto:chr...@ne... > twitter: @ChrFolini > > ------------------------------------------------------------ > ------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ > |
|
From: Christian F. <chr...@ne...> - 2018-05-22 07:07:40
|
Hi there, You said you run 3.0.2 and the issue was fixed in said version. But glad you got it fixed. Ahoj, Christian On Tue, May 22, 2018 at 08:57:33AM +0200, Marcello Lorenzi wrote: > Hi Christian, > we found an issue into the CRS 3.0.2 version > https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/773 and the rule > with id 22 is a debug rule not expected. We have fixed it with a specific > rule. > > Marcello > > On Tue, May 22, 2018 at 5:45 AM, Christian Folini < > chr...@ne...> wrote: > > > Hey Marcello, > > > > The file mentioned in your alert message points to a CRS rule, however, the > > ID 22 does not. There is no rule with ID 22 in the CRS. Also the unique_id > > looks a bit odd and an empty hostname... > > > > I can not really tell what's happening here. > > > > Ahoj, > > > > Christian > > > > On Mon, May 21, 2018 at 11:20:37AM +0200, Marcello Lorenzi wrote: > > > Hi Users, > > > we are testing mod_security on a Nginx 1.12.2 version on our development > > > environment and we installed the mod_security 2.9.2 with the OWASP CRS > > > 3.0.2. Into our error_log we noticed this error repeated: > > > > > > 2018/05/21 09:13:41 [error] 247#247: [client 10.0.0.1] ModSecurity: > > > Warning. Pattern match "(.*)" at REQUEST_URI. [file > > > "/usr/local/nginx/conf/crs-rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] > > > [line "500"] [id "22"] [msg "got /cp"] [hostname ""] [uri > > "/pub/test.html"] > > > [unique_id "ALAcAchiAcAcAcAcAVAcAcAG"] > > > > > > We configure the file RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf to > > skip > > > the rule with SecRuleRemoveById related to the rule ID, but the entries > > are > > > present into the error_log. > > > > > > Could you confirm if the configuration permits the contents and logs the > > > entry? Is it possible to remove also the logging phase? > > > > > > Thanks in advance, > > > Marcello > > > > > ------------------------------------------------------------ > > ------------------ > > > Check out the vibrant tech community on one of the world's most > > > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > > > > > _______________________________________________ > > > mod-security-users mailing list > > > mod...@li... > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > > > http://www.modsecurity.org/projects/commercial/rules/ > > > http://www.modsecurity.org/projects/commercial/support/ > > > > > > -- > > https://www.feistyduck.com/training/modsecurity-training-course > > https://www.feistyduck.com/books/modsecurity-handbook/ > > mailto:chr...@ne... > > twitter: @ChrFolini > > > > ------------------------------------------------------------ > > ------------------ > > Check out the vibrant tech community on one of the world's most > > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > > _______________________________________________ > > mod-security-users mailing list > > mod...@li... > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > > http://www.modsecurity.org/projects/commercial/rules/ > > http://www.modsecurity.org/projects/commercial/support/ > > > ------------------------------------------------------------------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ -- https://www.feistyduck.com/training/modsecurity-training-course https://www.feistyduck.com/books/modsecurity-handbook/ mailto:chr...@ne... twitter: @ChrFolini |
Thanks for helping keep SourceForge clean.
X