Hello, I am puzzled why the rule ID: 950901 contained in the above mentioned rule file was triggering a 403 error even though it was supposed (it's my understanding) to just log only due to false positive issues.
I recently installed Ubuntu 10.4 with the distributed apache binary. I compiled modsec apache 2.5.13 because the Ubuntu distro binary was having issues interpreting the modsecurity_crs_10_config.config instructions rendering the base_rules useless. It solved these issues but, I am getting some false positive hits by the rule: modsecurity_crs_41_sql_injection_attacks namely rule ID: 950901 on POST or GET payload containing 'and' or 'or' words. It is my understanding that this rule should be logging-only since it is placed after the: SecMarker END_SQL_INJECTION_PM and the line (SecRule TX:PM_SQLI_SCORE "@eq 0" "phase:2,rev:'2.0.10',t:none,pass,skipAfter:END_SQL_INJECTION_PM,nolog") at the beginning of this rule should set everything after the marker as logging-only. Am I missing anything? I appreciate all your help. -- Dan Chirica
_______________________________________________ Owasp-modsecurity-core-rule-set mailing list [email protected] https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
