Chaim Sanders

These are Comodo's rules, you'll have to reach out to them for support. Thanks! On Tue, May 28, 2019 at 1:49 AM Ehsan Javidi javidi@users.sourceforge.net wrote: Hi There is a strange problem with the site that the mode Security plugin has blocked. The plugin recognizes the site's address as an injection! WAF error: http://oneclickpaste.com/9311/ domian: wordpress@amlakeparand.com Data has the following conditions: 1- has "<" first 2- has "and." somewhere after 1 3- has ">" somewhere after 2 regular...

Glad you got it working :) On Sun, Apr 14, 2019, 11:42 AM Escher Penrose penrose@users.sourceforge.net wrote: Great ! It work fine In crs-setup.conf i change SecDefaultAction "phase:1,log,auditlog,pass" SecDefaultAction "phase:2,log,auditlog,pass" by SecDefaultAction "phase:1,logdata:%{request_headers.host},log,auditlog,pass" SecDefaultAction "phase:2,logdata:%{request_headers.host},log,auditlog,pass" And i obtain: [client x.x.x.x] ModSecurity: Access denied with code 403 (phase 2). Operator GE matched...

This can be done! You'd want to capture the value of REQUEST_HEADERS:Host and add it to one of the output areas https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-(v2.x)#request_headers. I'd recommend something like "logdata:%{MY_HOST_HEADER}" ( https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-(v2.x)#logdata ). Now the real key here is that since you're using CRS, you'll want to change the action of all those rules to include this logdata. The recommended approach is to...

I see what you're going for. Check out the regex the OWASP Core Rule Set twitter (https://twitter.com/CoreRuleSet) just suggested: SecRule ARGS_NAMES|REQUEST_COOKIES_NAMES "@rx ^#|[(?:\'|\")?#.*]" "id:123,phase:2,deny,status:403,t:urldecodeuni,msg:'SA-CORE-2018-002'" On Thu, Mar 29, 2018 at 10:10 AM, Joseph Jozwik jjozwik@users.sourceforge.net wrote: Working on a rule to block traffic based on the starting character of ARGS_NAMES either cookie, get or post Example allow name=Joe Example block name=Joe...

This forum isn't supported anymore, please use github or IRC for support.

Hey @Daniel Kolar, This form isn't supported anymore. If you have any further questions please reach out on the ModSecurity Github page. Thanks!

Please open such issues on github to get assistance https://github.com/SpiderLabs/owasp-modsecurity-crs

If you're having an issue please add it to Github, as this form isn't monitored anymore.