Hello,
I'm running into what I think are false positives for rule 960335 in CRS
2.2.2. I see blocked requests with "Operator GT matched 512 at ARGS:xxx"
when there are clearly less than 512 parameters being sent.
Should the "SecRule ARGS" rule be replaced with "SecRule &ARGS", like the
below?
Thanks,
Ty
# Maximum number of arguments in request limited
SecRule &TX:MAX_NUM_ARGS "@eq 1" "chain,phase:2,t:none,block,msg:'Too many
arguments in request',id:'960335',severity:'4',rev:'2.2.2'"
SecRule &ARGS "@gt %{tx.max_num_args}"
"t:none,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.policy_score=+%{tx.notice_anomaly_score},setvar:tx.%{
rule.id}-POLICY/SIZE_LIMIT-%{matched_var_name}=%{matched_var}"
_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
[email protected]
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
