Hey Luiz, It looks like the rule in question deals with lack of a user agent, probably from some sort of internal requests or scripts. In any event, your method should work fine. The one thing I will advise is to use the ‘new’ (modsecurity 2.7 or greater) ipmatch (https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#ipMatch) directive. You should find this makes your code more resilient and readable. If you run into problems keep us updated.
Also, if you find any requests that are made as part of the default installation that cause issues (for instance on /bob/test.php the comment parameter includes stuff that looks like XSS but really isn’t) for a product like Joomla we would consider adding that to the exceptions file. Thanks for your question, good luck! From: Guilherme Y <asiaya...@hotmail.com<mailto:asiaya...@hotmail.com>> Date: Tuesday, May 12, 2015 at 7:34 PM To: "owasp-modsecurity-core-rule-set@lists.owasp.org<mailto:owasp-modsecurity-core-rule-set@lists.owasp.org>" <owasp-modsecurity-core-rule-set@lists.owasp.org<mailto:owasp-modsecurity-core-rule-set@lists.owasp.org>> Subject: [Owasp-modsecurity-core-rule-set] Rule 960009 generates false positives from my own server IP Hi! I don't know if anyone experiences the same issue as us here, but I suppose at least this might contribute to all. I installed OWASP rules on a Centos running 2 Joomla sites with nearly 5,000 unique visitors a day. I was fortunate enough to identify and disable 12 rules that delivered a bunch of false positives (one of them locked down the server when one of us in the team submitted a security scan from CSF/LFD...). So, now it is running fine but one rule still delivers near 1,000 false positives a day and oddly enough having our own server IP as source! And severity level for ALL of the hits are NOTICE. So, this is not so much troublesome, except for the extra load on the server and the log size. I rotate it automatically everynight but it comes out at nearly 0,3 GB as standard size. So, what I am trying to do but don't know exactly how is to implent something like this in a file named modsecurity_crs_15_localrules.conf: SecRule REMOTE_ADDR "@streq XXX.YYY.Z.WWW" > "phase:1,t:none,pass,nolog,ctl:ruleRemoveById=960009" where XXX.YYY.Z.WWW is my server's IP address. Does anyone know if this is correct and if it can actually work to keep my server out of this rule execution? Tks a lot! All the best! Luiz Guilherme ________________________________ This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.
_______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
