These should be fixed in the v2.2.2 that was just released today. -- Ryan Barnett Senior Security Researcher Trustwave – SpiderLabs
From: rm4dillo Dasypodidae <[email protected]<mailto:[email protected]>> Date: Wed, 28 Sep 2011 10:51:34 -0500 To: Ryan Barnett <[email protected]<mailto:[email protected]>> Cc: "[email protected]<mailto:[email protected]>" <[email protected]<mailto:[email protected]>> Subject: Re: [Owasp-modsecurity-core-rule-set] XSS 973xxx rules "nolog" issue Thank you for your fast reaction. On Wed, Sep 28, 2011 at 3:42 PM, Ryan Barnett <[email protected]<mailto:[email protected]>> wrote: Good catch, we will remove them and make sure that they use "block" only so they will inherit your SecDefaultAction settings. Thanks. -- Ryan Barnett Senior Security Researcher Trustwave - SpiderLabs From: rm4dillo Dasypodidae <[email protected]<mailto:[email protected]><mailto:[email protected]<mailto:[email protected]>>> Date: Wed, 28 Sep 2011 08:37:57 -0500 To: "[email protected]<mailto:[email protected]><mailto:[email protected]<mailto:[email protected]>>" <[email protected]<mailto:[email protected]><mailto:[email protected]<mailto:[email protected]>>> Subject: [Owasp-modsecurity-core-rule-set] XSS 973xxx rules "nolog" issue Hi all, I just noticed that all the rules that have an Id that starts with "973" (modsecurity_crs_41_xss_attacks.conf) are the only CRS rules that have "nolog" and "noauditlog" in their actions list despite the "setvar:tx.%{rule.id<http://rule.id><http://rule.id>}-...-%{matched_var_name}=%{tx.0}" action. Therefore it's impossible to override log destinations for those rules with the "SecDefaultAction" directive. Is there any reason for that? TYIA Rm4dillo ________________________________ This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. ________________________________ This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. _______________________________________________ Owasp-modsecurity-core-rule-set mailing list [email protected] https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
