From: Aniyan Rajan <aniyan.raj...@gmail.com<mailto:aniyan.raj...@gmail.com>> Date: Wednesday, June 5, 2013 8:25 AM To: "owasp-modsecurity-core-rule-set@lists.owasp.org<mailto:owasp-modsecurity-core-rule-set@lists.owasp.org>" <owasp-modsecurity-core-rule-set@lists.owasp.org<mailto:owasp-modsecurity-core-rule-set@lists.owasp.org>> Subject: Re: [Owasp-modsecurity-core-rule-set] Request content type is not allowed by policy
Josh, Editing the CRS rules directly is not recommended as it makes upgrading the rules much harder. Furthermore, its probably a good idea to upgrade ModSecurity to the latest version as there was recently a DoS related vulnerability patched. Once you are running a more recent version, your options for handling false positives becomes significantly more flexible as well, see: http://blog.spiderlabs.com/2011/08/modsecurity-advanced-topic-of-the-week-exception-handling.html I know that using the latest version is better, but I have some practical difficulties to upgrade at the moment. Will do that only after 6 months. On ModSec 2.5.12, you can simply white-list the offending rule/s by including something like the following *before* you include the offending CRS rules. <Location /iredadmin/login> SecRuleRemoveById 960010 </Location> This solution is fine for me. I gave this in apache.conf as follows. But it is not working (still forbidden). Is it Location or LocationMatch ? Thanks. <IfModule security2_module> <Location /iredadmin/login/> SecRuleRemoveById 960010 </Location> Include modsecurity_crs/modsecurity_crs_10_setup.conf Include modsecurity_crs/activated_rules/*.conf </IfModule> The reason this does not work is because rule ID 960010 runs in phase:1 and by placing the SecRuleRemoveById directive within an Apache scope location, it won't execute until the end of phase:2. You might want to do this instead in a custom rules file that runs before the other rules - SecRule REQUEST_FILENAME "@beginsWith /iredadmin/login/" "phase:1,id:123,t:none,nolog,pass,ctl:ruleRemoveById=960010" -Ryan ________________________________ This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.
_______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
