On Mon, Jan 16, 2017 at 08:15:22PM +0000, Géza Búza wrote: > As I see it states that the anomaly score is 5 at that point. > It looks like REQUEST-949-BLOCKING-EVALUATION is evaluated before > REQUEST-941-APPLICATION-ATTACK-XSS, at least it appears earlier in the log.
Bingo. The install file says you need to install on NginX by naming the rules files one by one: include modsecurity.conf include owasp-modsecurity-crs/crs-setup.conf include owasp-modsecurity-crs/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf include owasp-modsecurity-crs/rules/REQUEST-901-INITIALIZATION.conf include owasp-modsecurity-crs/rules/REQUEST-905-COMMON-EXCEPTIONS.conf include owasp-modsecurity-crs/rules/REQUEST-910-IP-REPUTATION.conf include owasp-modsecurity-crs/rules/REQUEST-911-METHOD-ENFORCEMENT.conf include owasp-modsecurity-crs/rules/REQUEST-912-DOS-PROTECTION.conf include owasp-modsecurity-crs/rules/REQUEST-913-SCANNER-DETECTION.conf include owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf include owasp-modsecurity-crs/rules/REQUEST-921-PROTOCOL-ATTACK.conf include owasp-modsecurity-crs/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf include owasp-modsecurity-crs/rules/REQUEST-931-APPLICATION-ATTACK-RFI.conf include owasp-modsecurity-crs/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf include owasp-modsecurity-crs/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf include owasp-modsecurity-crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf include owasp-modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf include owasp-modsecurity-crs/rules/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf include owasp-modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf include owasp-modsecurity-crs/rules/RESPONSE-950-DATA-LEAKAGES.conf include owasp-modsecurity-crs/rules/RESPONSE-951-DATA-LEAKAGES-SQL.conf include owasp-modsecurity-crs/rules/RESPONSE-952-DATA-LEAKAGES-JAVA.conf include owasp-modsecurity-crs/rules/RESPONSE-953-DATA-LEAKAGES-PHP.conf include owasp-modsecurity-crs/rules/RESPONSE-954-DATA-LEAKAGES-IIS.conf include owasp-modsecurity-crs/rules/RESPONSE-959-BLOCKING-EVALUATION.conf include owasp-modsecurity-crs/rules/RESPONSE-980-CORRELATION.conf include owasp-modsecurity-crs/rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf Is this what you did? Your logfiles looks like you did include rules/*.conf. Ahoj, Christian > > > Michael, I'm using this Docker based installation: > https://github.com/theonemule/docker-waf > Could you take a look at the configuration files located at > https://github.com/theonemule/docker-waf/tree/master/waf? You may spot a > mistake there. > > Regards, > Geza > > > Muenz, Michael <m...@partycrew-united.de> ezt írta (időpont: 2017. jan. > 16., H, 9:09): > > > Am 15.01.2017 um 19:11 schrieb Géza Búza: > > > Hi all, > > > > > > I'm new to ModSecurity and wanted to try it out by installing Nginx > > > 1.10.2, latest ModSecurity (master branch), with latest CRS > > > (v3.0/master branch). > > > > > > With the default settings on, I tried to send an attack request and > > > expected to see it blocked. > > > So I sent the request below to the demo application > > > GET http://172.17.0.1/?param="><script>alert(1);</script> > > > and it responded with 200 OK (which is okay since it's in detection > > > only mode by default), > > > but I expected to see the error "Inbound Anomaly Score Exceeded (Total > > > Score: 5)" in the audit log. There is no such message, but other rules > > > have triggered as I expected. > > > I attached the complete log of the HTTP GET request. > > > > > > Could you give me guidance what am I missing? > > Hi, > > > > I've tested in on my installation with > > ?param="><script>alert(1);</script> and I'm hitting 19 rules, so there's > > and error somewhere in your configuration. > > > > Michael > > > > -- > > www.routerperformance.net > > - Cisco, Linux, Networks > > _______________________________________________ > > Owasp-modsecurity-core-rule-set mailing list > > Owasp-modsecurity-core-rule-set@lists.owasp.org > > https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set > > > -- > Üdvözlettel, > Búza Géza > _______________________________________________ > Owasp-modsecurity-core-rule-set mailing list > Owasp-modsecurity-core-rule-set@lists.owasp.org > https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set -- https://www.feistyduck.com/training/modsecurity-training-course mailto:christian.fol...@netnea.com twitter: @ChrFolini _______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set