Hi all,
Besides using own blocking rules, I am experimenting with the CRS in anomaly
scoring mode. Since I like to keep most of the rules enabled and create narrow
exceptions, I regularly get some false positives on the CRS and I really need
to have a friendly 'blocked' page.
What seems to work for me in most situations, was changing the following
default action in modsecurity_crs_10_setup.conf:
SecDefaultAction phase:2,pass,log,status:509
I've used the friendly error trick from the ModSecurity handbook, so my config
also includes:
ErrorDocument 509 /modsecurity-errorpage/
Alias /modsecurity-errorpage/ /opt/httpd/etc/apache22/mod_security2/errorpage/
<Directory "/opt/httpd/etc/apache22/mod_security2/errorpage/">
Order allow,deny
Allow from all
</Directory>
In that dir, there's an index.php that sends a 403 header and some info. This
appears to work fine for the CRS in most situations. Inbound blocking now
displays the error page, and outbound blocking mostly seems to display it as
well.
There seems to be one slight problem involving scripts that send a 5xx response
status. If I trigger rules such as 970901 or 970021 in
modsecurity_crs_50_outbound.conf by calling a PHP script which returns a 5xx
status, such as:
<?php
header('HTTP/1.0 500 Error'); // The application is not available
I don't get the friendly error page; instead I get Apache's default "internal
error" page which says "509 unused":
The server encountered an internal error or misconfiguration and was unable to
complete your request. [...] Additionally, a 509 unused error was encountered
while trying to use an ErrorDocument to handle the request.
That's even scarier than the default 403 Forbidden page! I'm puzzled why it
would encounter a problem resolving the ErrorDocument, and I'm not sure where
the problem is, since the trick works fine in other outbound blocking
situations that get a 2xx status (such as open dirs).
Is there a better way to use friendly blocking in combination with the CRS,
which (hopefully) resolves the problem with scripts returning 5xx status?
Cheers!
WH
_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
Owasp-modsecurity-core-rule-set@lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
