Thanks for the reply Christian. How do I turn anomaly scoring on? Is there a disadvantage in turning off the headers rules?
Kenneth On Tue, May 17, 2016 at 2:15 PM, Christian Folini < christian.fol...@netnea.com> wrote: > Kenneth, > > You are running in blocking mode with anomaly scoring off. > > This is the hardest mode to tune and it will block immediately > if something is amiss. > > I suggest you run in blocking mode with anomaly scoring on and > a high anomaly limit (-> 1K or more). > > The rule which blocked your request is 958291. It is known for > a lot of false positives and it is not one of my favorite rules. > > You can switch it off completely with > SecRuleRemoveByID 958291 > > But be assured given your config, the next rule will bite immediately. > > We are sorry, getting starting with the CRS is so hard. We are working > on a new release and new documentation which will make things easier. > > Best, > > Christian > > > > > On Tue, May 17, 2016 at 01:07:13PM +0800, T. Kenneth Lojo (IRRI) wrote: > > I get this on my log: > > > > --5d2d5838-A-- > > > > [17/May/2016:13:03:18 +0800] VzqmFgqA0uwAAA7nNtkAAAAW 66.220.158.117 > 29357 > > 10.144.68.249 80 > > > > --5d2d5838-B-- > > > > GET > > > /our-impact/protecting-the-environment/increasing-soil-health-and-productivity-of-rice-crops > > HTTP/1.1 > > > > User-Agent: facebookexternalhit/1.1 (+ > > http://www.facebook.com/externalhit_uatext.php) > > > > Accept: */* > > > > Accept-Encoding: deflate, gzip > > > > Range: bytes=0-524287 > > > > Host: irri.org > > > > Connection: close > > > > > > --5d2d5838-F-- > > > > HTTP/1.1 403 Forbidden > > > > Content-Length: 293 > > > > Connection: close > > > > Content-Type: text/html; charset=iso-8859-1 > > > > > > --5d2d5838-E-- > > > > > > --5d2d5838-H-- > > > > Message: Access denied with code 403 (phase 2). String match "bytes=0-" > at > > REQUEST_HEADERS:Range. [file > > > "/etc/httpd/crs/owasp-modsecurity-crs/base_rules/modsecurity_crs_20_protocol_violations.conf"] > > [line "428"] [id "958291"] [rev "2"] [msg "Range: field exists and begins > > with 0."] [data "bytes=0-524287"] [severity "WARNING"] [ver > > "OWASP_CRS/2.2.9"] [maturity "6"] [accuracy "8"] [tag > > "OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ"] > > > > Action: Intercepted (phase 2) > > > > Stopwatch: 1463461398712034 9447 (- - -) > > > > Stopwatch2: 1463461398712034 9447; combined=438, p1=345, p2=53, p3=0, > p4=0, > > p5=38, sr=183, sw=2, l=0, gc=0 > > > > Response-Body-Transformed: Dechunked > > > > Producer: ModSecurity for Apache/2.7.3 (http://www.modsecurity.org/); > > OWASP_CRS/2.2.9. <http://2.2.0.9/> > > > > Server: Apache > > > > Engine-Mode: "ENABLED" > > > > > > --5d2d5838-Z-- > > > > > > > > On Tue, May 17, 2016 at 1:00 PM, T. Kenneth Lojo (IRRI) <t.l...@irri.org > > > > wrote: > > > > > Can you point me to the right direction in correcting? It seems to be > > > blocking all links that we post on Facebook other than the homepage. > Which > > > logs do I need to analyze? How do I circumvent? > > > > > > On Tue, May 17, 2016 at 12:57 PM, Christian Folini < > > > christian.fol...@netnea.com> wrote: > > > > > >> Kenneth, > > >> > > >> On Tue, May 17, 2016 at 12:28:54PM +0800, T. Kenneth Lojo (IRRI) > wrote: > > >> > Our company has started using mod security as a web application > firewall > > >> > and we used the OWASP core rule set. When we apply the CRS Facebook > > >> cannot > > >> > scrape our site and gives a 403 forbidden message. Can you provide > > >> > directions on how to correct this? Our website is http://irri.org > > >> > > >> This is typical behaviour for a new CRS install, which blocks > > >> what seem to be legitimate requests as false positives. > > >> > > >> If you want to continue in blocking mode, you need to tune the system. > > >> Which means you need to get rid of the false positives, by > > >> writing ModSec rules telling the engine to circumvent the said > > >> offending rules. > > >> > > >> Google for ModSecurity tuning and false positives. > > >> > > >> And good luck! > > >> > > >> Christian > > >> > > >> > > >> -- > > >> First you make it, then it works, then you invite people to > > >> make it better. > > >> -- Eben Moglen, Free Software Foundation > > >> > > > > > > > > > > > > -- > > > *T. Kenneth S. Lojo* > > > Specialist-Online Media Design > > > [image: IRRI] <http://irri.org/> +63 2 580 5600 ext. 2703/2744 > > > +63 928 209 1191 (mobile) > > > t.l...@irri.org <g.lav...@irri.org> > > > www.irri.org > > > [image: Facebook] <http://www.facebook.com/IRRI.ricenews> [image: > Twitter] > > > <http://twitter.com/RiceResearch> [image: Flickr] > > > <http://www.flickr.com/photos/ricephotos/collections/> [image: > Youtube] > > > <http://www.youtube.com/user/irrivideo/featured> [image: Scribd] > > > <http://www.scribd.com/IRRI_resources> [image: Linkedin] > > > <http://www.linkedin.com/company/international-rice-research-institute> > [image: > > > Soundcloud] <https://soundcloud.com/irri-radio> [image: Google+] > > > <https://plus.google.com/103972671963502739315> > > > > > > The International Rice Research Institute <http://irri.org> is a > member > > > of the CGIAR <http://www.cgiar.org/> > > > > > > > > > > > -- > > *T. Kenneth S. Lojo* > > Specialist-Online Media Design > > [image: IRRI] <http://irri.org/> +63 2 580 5600 ext. 2703/2744 > > +63 928 209 1191 (mobile) > > t.l...@irri.org <g.lav...@irri.org> > > www.irri.org > > [image: Facebook] <http://www.facebook.com/IRRI.ricenews> [image: > Twitter] > > <http://twitter.com/RiceResearch> [image: Flickr] > > <http://www.flickr.com/photos/ricephotos/collections/> [image: Youtube] > > <http://www.youtube.com/user/irrivideo/featured> [image: Scribd] > > <http://www.scribd.com/IRRI_resources> [image: Linkedin] > > <http://www.linkedin.com/company/international-rice-research-institute> > [image: > > Soundcloud] <https://soundcloud.com/irri-radio> [image: Google+] > > <https://plus.google.com/103972671963502739315> > > > > The International Rice Research Institute <http://irri.org> is a member > of > > the CGIAR <http://www.cgiar.org/> > > > > -- > > The International Rice Research Institute <http://irri.org> is a member > of > > the CGIAR <http://cgiar.org> consortium > > > _______________________________________________ > > Owasp-modsecurity-core-rule-set mailing list > > Owasp-modsecurity-core-rule-set@lists.owasp.org > > https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set > > -- *T. Kenneth S. Lojo* Specialist-Online Media Design [image: IRRI] <http://irri.org/> +63 2 580 5600 ext. 2703/2744 +63 928 209 1191 (mobile) t.l...@irri.org <g.lav...@irri.org> www.irri.org [image: Facebook] <http://www.facebook.com/IRRI.ricenews> [image: Twitter] <http://twitter.com/RiceResearch> [image: Flickr] <http://www.flickr.com/photos/ricephotos/collections/> [image: Youtube] <http://www.youtube.com/user/irrivideo/featured> [image: Scribd] <http://www.scribd.com/IRRI_resources> [image: Linkedin] <http://www.linkedin.com/company/international-rice-research-institute> [image: Soundcloud] <https://soundcloud.com/irri-radio> [image: Google+] <https://plus.google.com/103972671963502739315> The International Rice Research Institute <http://irri.org> is a member of the CGIAR <http://www.cgiar.org/> -- The International Rice Research Institute <http://irri.org> is a member of the CGIAR <http://cgiar.org> consortium
_______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
