Hi, after a few weeks with ModSec, CRS3, some custom rules and several exepction rules, things seems to run smoothly now.
@Christian: With help of your tutorials, I was able to solve some other issues. Thanks for that! Regards, Heinrich Am Donnerstag, den 24.11.2016, 07:46 +0100 schrieb Heinrich M.: > Hi Christian, > > thank you for the information and the grep command :-). > > After dealing with some other problems the last days, I'm back to > ModSec today. I will report everything I encounter. > > Regards, > > Heinrich > > P.S. Going to switch to 3.0/dev for further testing. > > > Am Freitag, den 18.11.2016, 16:06 +0100 schrieb Christian Folini: > > > > Hello Heinrich, > > > > Another well spotted bug. Thank you. It's funny how a new pair of > > eyes > > spots bugs in corners ignored by experienced users. > > > > The support for the "ver" action is only partial. In fact there are > > more than only the blocking rules that come without the "ver" > > action. > > > > I have opened a bug report for this issue: > > https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/650 > > > > I flagged it for CRS 3.1.0. There is a chance, this will be made > > available for 3.0.1, but I doubt it as it's quite a bit of work > > and not crucial for the correct functioning of the rule set. > > > > In your situation, you are best off with the following construct > > including the mandaory regular expression : Note how the CRS rules > > are all in the 900K range, but we lately claimed the 9M range too; > > hence {5,6}. > > > > $> cat error.log | egrep "id \"9[0-9]{5,6}\"" > > > > Keep these bug reports coming, please. > > > > Best, > > > > Christian > > > > > > > > On Thu, Nov 17, 2016 at 02:27:14PM +0100, Heinrich M. wrote: > > > > > > > > > Hi, > > > > > > while playing around with the rule set and adding some custom > > > rules, I > > > found that the blocking rules miss the version tag within > > > Apache's > > > error log. Is there a reason for this? As fas as I could see, > > > every > > > other rule is tagged with [ver "OWASP_CRS/3.0.0"] but I may be > > > missing > > > something. > > > > > > I'd like to grep for '[ver "OWASP_CRS/3.0.0"]' in order to > > > separate > > > log > > > entries from custom rules from the CRS rules. I know that this > > > can > > > also > > > be done by rule IDs but those regexes are hard ;-). > > > > > > Regards, > > > > > > Heinrich > > > _______________________________________________ > > > Owasp-modsecurity-core-rule-set mailing list > > > Owasp-modsecurity-core-rule-set@lists.owasp.org > > > https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-r > > > ul > > > e-set > _______________________________________________ > Owasp-modsecurity-core-rule-set mailing list > Owasp-modsecurity-core-rule-set@lists.owasp.org > https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule- > set _______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
