Kenneth, You are running in blocking mode with anomaly scoring off.
This is the hardest mode to tune and it will block immediately if something is amiss. I suggest you run in blocking mode with anomaly scoring on and a high anomaly limit (-> 1K or more). The rule which blocked your request is 958291. It is known for a lot of false positives and it is not one of my favorite rules. You can switch it off completely with SecRuleRemoveByID 958291 But be assured given your config, the next rule will bite immediately. We are sorry, getting starting with the CRS is so hard. We are working on a new release and new documentation which will make things easier. Best, Christian On Tue, May 17, 2016 at 01:07:13PM +0800, T. Kenneth Lojo (IRRI) wrote: > I get this on my log: > > --5d2d5838-A-- > > [17/May/2016:13:03:18 +0800] VzqmFgqA0uwAAA7nNtkAAAAW 66.220.158.117 29357 > 10.144.68.249 80 > > --5d2d5838-B-- > > GET > /our-impact/protecting-the-environment/increasing-soil-health-and-productivity-of-rice-crops > HTTP/1.1 > > User-Agent: facebookexternalhit/1.1 (+ > http://www.facebook.com/externalhit_uatext.php) > > Accept: */* > > Accept-Encoding: deflate, gzip > > Range: bytes=0-524287 > > Host: irri.org > > Connection: close > > > --5d2d5838-F-- > > HTTP/1.1 403 Forbidden > > Content-Length: 293 > > Connection: close > > Content-Type: text/html; charset=iso-8859-1 > > > --5d2d5838-E-- > > > --5d2d5838-H-- > > Message: Access denied with code 403 (phase 2). String match "bytes=0-" at > REQUEST_HEADERS:Range. [file > "/etc/httpd/crs/owasp-modsecurity-crs/base_rules/modsecurity_crs_20_protocol_violations.conf"] > [line "428"] [id "958291"] [rev "2"] [msg "Range: field exists and begins > with 0."] [data "bytes=0-524287"] [severity "WARNING"] [ver > "OWASP_CRS/2.2.9"] [maturity "6"] [accuracy "8"] [tag > "OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ"] > > Action: Intercepted (phase 2) > > Stopwatch: 1463461398712034 9447 (- - -) > > Stopwatch2: 1463461398712034 9447; combined=438, p1=345, p2=53, p3=0, p4=0, > p5=38, sr=183, sw=2, l=0, gc=0 > > Response-Body-Transformed: Dechunked > > Producer: ModSecurity for Apache/2.7.3 (http://www.modsecurity.org/); > OWASP_CRS/2.2.9. <http://2.2.0.9/> > > Server: Apache > > Engine-Mode: "ENABLED" > > > --5d2d5838-Z-- > > > > On Tue, May 17, 2016 at 1:00 PM, T. Kenneth Lojo (IRRI) <t.l...@irri.org> > wrote: > > > Can you point me to the right direction in correcting? It seems to be > > blocking all links that we post on Facebook other than the homepage. Which > > logs do I need to analyze? How do I circumvent? > > > > On Tue, May 17, 2016 at 12:57 PM, Christian Folini < > > christian.fol...@netnea.com> wrote: > > > >> Kenneth, > >> > >> On Tue, May 17, 2016 at 12:28:54PM +0800, T. Kenneth Lojo (IRRI) wrote: > >> > Our company has started using mod security as a web application firewall > >> > and we used the OWASP core rule set. When we apply the CRS Facebook > >> cannot > >> > scrape our site and gives a 403 forbidden message. Can you provide > >> > directions on how to correct this? Our website is http://irri.org > >> > >> This is typical behaviour for a new CRS install, which blocks > >> what seem to be legitimate requests as false positives. > >> > >> If you want to continue in blocking mode, you need to tune the system. > >> Which means you need to get rid of the false positives, by > >> writing ModSec rules telling the engine to circumvent the said > >> offending rules. > >> > >> Google for ModSecurity tuning and false positives. > >> > >> And good luck! > >> > >> Christian > >> > >> > >> -- > >> First you make it, then it works, then you invite people to > >> make it better. > >> -- Eben Moglen, Free Software Foundation > >> > > > > > > > > -- > > *T. Kenneth S. Lojo* > > Specialist-Online Media Design > > [image: IRRI] <http://irri.org/> +63 2 580 5600 ext. 2703/2744 > > +63 928 209 1191 (mobile) > > t.l...@irri.org <g.lav...@irri.org> > > www.irri.org > > [image: Facebook] <http://www.facebook.com/IRRI.ricenews> [image: Twitter] > > <http://twitter.com/RiceResearch> [image: Flickr] > > <http://www.flickr.com/photos/ricephotos/collections/> [image: Youtube] > > <http://www.youtube.com/user/irrivideo/featured> [image: Scribd] > > <http://www.scribd.com/IRRI_resources> [image: Linkedin] > > <http://www.linkedin.com/company/international-rice-research-institute> > > [image: > > Soundcloud] <https://soundcloud.com/irri-radio> [image: Google+] > > <https://plus.google.com/103972671963502739315> > > > > The International Rice Research Institute <http://irri.org> is a member > > of the CGIAR <http://www.cgiar.org/> > > > > > > -- > *T. Kenneth S. Lojo* > Specialist-Online Media Design > [image: IRRI] <http://irri.org/> +63 2 580 5600 ext. 2703/2744 > +63 928 209 1191 (mobile) > t.l...@irri.org <g.lav...@irri.org> > www.irri.org > [image: Facebook] <http://www.facebook.com/IRRI.ricenews> [image: Twitter] > <http://twitter.com/RiceResearch> [image: Flickr] > <http://www.flickr.com/photos/ricephotos/collections/> [image: Youtube] > <http://www.youtube.com/user/irrivideo/featured> [image: Scribd] > <http://www.scribd.com/IRRI_resources> [image: Linkedin] > <http://www.linkedin.com/company/international-rice-research-institute> > [image: > Soundcloud] <https://soundcloud.com/irri-radio> [image: Google+] > <https://plus.google.com/103972671963502739315> > > The International Rice Research Institute <http://irri.org> is a member of > the CGIAR <http://www.cgiar.org/> > > -- > The International Rice Research Institute <http://irri.org> is a member of > the CGIAR <http://cgiar.org> consortium > _______________________________________________ > Owasp-modsecurity-core-rule-set mailing list > Owasp-modsecurity-core-rule-set@lists.owasp.org > https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set _______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
