Hello Jacob sorry for the slow response,
Based on your log file it seems clear that you are using an out dated version
of CRS. Updating may fix *some* of the false positives you are facing. Upon
inspecting your log the following rules are being triggered:
Detects concatenated basic SQL Injection and SQLLFI attempts
Request from Known SPAM Source
Restricted SQL Character anomaly detection alert
SQL Injection Attack: SQL Operator Detected
Request content type is not allowed by policy
It is possible that some or all of these are false positives based on how the
application is functioning. I suggest you follow the guidance set forth in the
following blog post
(http://blog.spiderlabs.com/2011/08/modsecurity-advanced-topic-of-the-week-exception-handling.html)
in order to analyze these events. If you are having additional issues please
be sure to reach out and we will try to address them as best as possible.
Thanks!
Chaim Sanders
Security Researcher, SpiderLabs
Trustwave | SMART SECURITY ON DEMAND
www.trustwave.com
-----Original Message-----
From: Ryan Barnett
Sent: Tuesday, January 27, 2015 10:04 AM
To: Chaim Sanders
Subject: FW: [Owasp-modsecurity-core-rule-set] Legitimate traffic being blocked
On 1/23/15, 6:20 PM, "Jacob Lear" <ja...@fosterclub.com> wrote:
>Hello,
>
>I am working on setting up better security for my Debian 6 server. I am
>new to ModSecurity and OWASP Core Rules. The problem that I'm having is
>that it is blocking legitimate traffic and I don't understand why or
>how to fix it. Can somebody help me? Here is some pretty detailed
>information about my environment and my problem.
>
>Apache2 is my webserver and it is installed from the Debian package.
>The version is 2.2.16-6+squeeze14. I'm using the Worker MPM.
>I installed ModSecurity from the Debian package. The version is:
>2.5.12-1+squeeze4
>Per the recommendation of an article I found online, I installed OWASP
>2.2.5-0. I had initially tried the most recent version of OWASP but
>this gave me errors (due to my version of ModSecurity).
>I'm using PHP compiled from source, version 5.4.24.
>I'm using PHP-FPM FastCGI.
>I'm using MySQL 5.1.73-1+deb6u1.
>I'm using Memcached 2.1.0.
>ZendOpcode Cache 7.0.3 is installed.
>Website is built using the Drupal CMS, version 7.28.
>All non-SSL traffic is redirected to SSL.
>
>I had some troubles getting Apache2 to pass the configtest but I was
>able to find the proper configuration changes needed via Google
>searching. I enabled all of the rules as per the INSTALL instructions
>included in OWASP CRS. I also enabled the experimental Brute Force,
>DOS, and Slow DOS rules (these don't appear to be causing any issues.)
>
>I set ModSecurity to "On" mode but quickly got complaints from our
>staff being blocked by it. So now it is in "DetectionOnly" mode. I
>looked in the AuditLog but didn't see anything helpful in there (just a
>bunch of stuff about cookies -- perhaps because things in the 10 setup
>file are set to nolog?). However, the Apache2 SSL Error log shows a lot
>of information about the block attempts.
>
>Our staff users are connecting from the IP address 63.227.218.204, so I
>filtered the SSL Error Log to dump all entries with that IP address to
>a separate file. All of the warnings/errors in this log are legitimate
>traffic. So I need help tuning ModSecurity and OWASP to permit this
>traffic. I've attached the log file to this post.
>http://scanmail.trustwave.com/?c=4062&d=rNzC1FWzzHEEgobdigSUf2LNp5DNTN-
>GhD
>Vv7Jp46g&s=5&u=https%3a%2f%2fwww%2efosterclub%2ecom%2fsites%2fdefault%2
>ffi
>les%2ffile%2foutput%2elog
>
>I have also attached my modsecurity.conf file and my
>modsecurity_crs_10_setup.conf file.
>http://scanmail.trustwave.com/?c=4062&d=rNzC1FWzzHEEgobdigSUf2LNp5DNTN-
>GhD
>Ns5sp46Q&s=5&u=https%3a%2f%2fwww%2efosterclub%2ecom%2fsites%2fdefault%2
>ffi
>les%2ffile%2fmodsecurity%2econf
>http://scanmail.trustwave.com/?c=4062&d=rNzC1FWzzHEEgobdigSUf2LNp5DNTN-
>GhG
>Vrusp95w&s=5&u=https%3a%2f%2fwww%2efosterclub%2ecom%2fsites%2fdefault%2
>ffi les%2ffile%2fmodsecurity%5fcrs%5f10%5fsetup%2econf
>
>I would very much appreciate any help anyone can offer. Please let me
>know if you need any additional information. Thanks!
>
>
>--
>
>Jacob Lear
>Web Administrator
>FosterClub, Inc.
>
>
>---
>This email has been checked for viruses by Avast antivirus software.
>http://scanmail.trustwave.com/?c=4062&d=rNzC1FWzzHEEgobdigSUf2LNp5DNTN-
>GhG Ey688p7w&s=5&u=http%3a%2f%2fwww%2eavast%2ecom
>
>_______________________________________________
>Owasp-modsecurity-core-rule-set mailing list
>Owasp-modsecurity-core-rule-set@lists.owasp.org
>http://scanmail.trustwave.com/?c=4062&d=rNzC1FWzzHEEgobdigSUf2LNp5DNTN-
>GhG
>Q65sp85w&s=5&u=https%3a%2f%2flists%2eowasp%2eorg%2fmailman%2flistinfo%2
>fow
>asp-modsecurity-core-rule-set
________________________________
This transmission may contain information that is privileged, confidential,
and/or exempt from disclosure under applicable law. If you are not the intended
recipient, you are hereby notified that any disclosure, copying, distribution,
or use of the information contained herein (including any reliance thereon) is
strictly prohibited. If you received this transmission in error, please
immediately contact the sender and destroy the material in its entirety,
whether in electronic or hard copy format.
_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
Owasp-modsecurity-core-rule-set@lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
