You want to do a conditional exception to disable the offending rule ID. Put this in base_rules/modsecurity_crs_15_custom.conf so that is runs before the other CRS rules -
SecRule REQUEST_HEADERS:User-Agent "@beginsWith Google_Analytics_Content_Experiments" "id:1,phase:1,t:none,nolog,pass,ctl:ruleRemoveById=960015" -- Ryan Barnett ________________________________________ From: SANEESH [sanee...@scigenom.com] Sent: Wednesday, April 17, 2013 8:56 AM To: Ryan Barnett Cc: owasp-modsecurity-core-rule-set@lists.owasp.org Subject: Re: [Owasp-modsecurity-core-rule-set] Mod_Security Blocks Google_Analytics_Content_Experiments Hi Ryan, Thanks, i tried the simple Secrule below, SecRule REQUEST_HEADERS:User-Agent "Google_Analytics_Content_Experiments" "log,allow" Can you refer the correct method to do it.. Saneesh. On 17-04-2013 18:20, Ryan Barnett wrote: > Saneesh, > You should be able to do an exception for this. What was your exception that > you tried? > > -Ryan > ________________________________________ > From: owasp-modsecurity-core-rule-set-boun...@lists.owasp.org > [owasp-modsecurity-core-rule-set-boun...@lists.owasp.org] on behalf of > SANEESH [sanee...@scigenom.com] > Sent: Wednesday, April 17, 2013 8:32 AM > To: owasp-modsecurity-core-rule-set@lists.owasp.org > Subject: [Owasp-modsecurity-core-rule-set] Mod_Security Blocks > Google_Analytics_Content_Experiments > > Hi, > Am trying to integrate Google_Analytics_Content_Experiments to my webpages, > when trying the Analytic test am getting "We encountered an error while > trying to connect to the server with your web pages (HTTP status: 403)". I > found this is because mod_security is blocking the request..Please check the > below log for more details..I tried to add exception for "user Agent: > Google_Analytics_Content_Experiments", but no luck..Please help. > > > Log: > [17/Apr/2013:07:26:18 --0400] wSzSgUDPmqEAABafQXYAAAAA 74.125.186.151 54656 > 64.207.154.161 80 > --e29d6a3c-B-- > GET /pro-membership2 HTTP/1.1 > User-Agent: Google_Analytics_Content_Experiments > (http://support.google.com/analytics/bin/answer.py?topic=1745208&answer=1665377) > Host:www.test.com > Accept-Encoding: gzip > --e29d6a3c-F-- > HTTP/1.1 403 Forbidden > Last-Modified: Wed, 25 May 2011 01:34:04 GMT > ETag: "1c00603-3c2-4a40fb3273b00" > Accept-Ranges: bytes > Vary: Accept-Encoding,User-Agent > Content-Encoding: gzip > X-Powered-By: PleskLin > Content-Length: 553 > Connection: close > Content-Type: text/html > --e29d6a3c-H-- > Message: Access denied with code 403 (phase 2). Operator EQ matched 0 at > REQUEST_HEADERS. [file > "/etc/httpd/modsecurity.d/activated_rules/modsecurity_crs_21_protocol_anomalies.conf"] > [line "47"] [id "960015"] [rev "2.2.5"] [msg "Request Missing an Accept > Header"] [severity "CRITICAL"] [tag > "PROTOCOL_VIOLATION/MISSING_HEADER_ACCEPT"] [tag "WASCTC/WASC-21"] [tag > "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"] > Action: Intercepted (phase 2) > Stopwatch: 1366197978059393 1535 (- - -) > Stopwatch2: 1366197978059393 1535; combined=388, p1=262, p2=86, p3=0, p4=0, > p5=40, sr=99, sw=0, l=0, gc=0 > Producer: ModSecurity for Apache/2.6.8 (http://www.modsecurity.org/); > OWASP_CRS/2.2.5. > Server: Apache > > > > Rgrds, > Saneesh C. > > _______________________________________________ > Owasp-modsecurity-core-rule-set mailing list > Owasp-modsecurity-core-rule-set@lists.owasp.org > https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set > > > ________________________________ > > This transmission may contain information that is privileged, confidential, > and/or exempt from disclosure under applicable law. If you are not the > intended recipient, you are hereby notified that any disclosure, copying, > distribution, or use of the information contained herein (including any > reliance thereon) is STRICTLY PROHIBITED. If you received this transmission > in error, please immediately contact the sender and destroy the material in > its entirety, whether in electronic or hard copy format. > > ________________________________ This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. _______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
