> The rule id without the parameter triggering and the value > of the parameter does not do you any good. You need the > audit-log or at least the apache error-log to be able to > tune it. If that is not possible, then > the apache error-log can take you very far as well.
They didn't give me that unfortunately. For one custom web-app I run I was able to trace the error down to a specific section of the backend code, which got me within the specific module. No idea why the security triggered as the module is very basic, just takes some input, does a sanity check on the input, sanitizes for mySQL injections, then updates a database entry. mediawiki (black box that it is) did exactly the same sort of thing. What got me curious was that from the end user perspective, if you wrote, for example, the simple basic text (minus quotes): "The Grey fox jumped over the brown cow." it would trigger modsecurity. However, if you changed Grey to Gray or fox to dog, it wouldn't trigger. So why a simple word change allowed the exact same text to go through I have no idea. In this particular instance I ended up bisecting the paragraph being entered to discover it was a simple choice of words causing the error. *shrugs* Go Figure. :-) -- Drew "Nothing in life is to be feared. It is only to be understood." --Marie Curie "This started out as a hobby and spun horribly out of control." -Unknown _______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
