Hey Ed, It is hard to help you without seeing the rule alert. The alerts you showed us are only the evaluation at the end.
Ahoj, Christian On Tue, May 23, 2017 at 09:06:21AM -0400, Ed Greenberg wrote: > Something I don't understand. Here is a sample: > > > > --6e7a4c70-E-- > > --6e7a4c70-H-- > Message: Warning. Operator GE matched 5 at TX:anomaly_score. [file > "/etc/httpd/owasp-modsecurity-crs-3.0.0/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] > [line "57"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: > 5)"] [severity "CRITICAL"] [tag "application-multi"] [tag "language-multi"] > [tag "platform-multi"] [tag "attack-generic"] > Message: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file > "/etc/httpd/owasp-modsecurity-crs-3.0.0/rules/RESPONSE-980-CORRELATION.conf"] > [line "73"] [id "980130"] [msg "Inbound Anomaly Score Exceeded (Total > Inbound Score: 5 - SQLI=0,XSS=5,RFI=0,LFI=0,RCE=0,PHPI=0,HTTP=0,SESS=0): > Engine-Mode: "DETECTION_ONLY" > > --6e7a4c70-Z-- > > I tried to post the entire log entry, but the barracuda that protects this > list objected. I'm hoping that cutting down the content will work. > > So I know that this is some sort of XSS problem, but no more than that. I > checked with our web apps people, and the url parameters are quite > legitimate. > > What is the underlying rule that triggered this? More importantly, how > would I tell? > > Finally, how do I turn this off so that the call continues to work once we > take ModSecurity out of DETECTION_ONLY? > > > Thanks > > Ed > > > _______________________________________________ > Owasp-modsecurity-core-rule-set mailing list > Owasp-modsecurity-core-rule-set@lists.owasp.org > https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set -- https://www.feistyduck.com/training/modsecurity-training-course mailto:christian.fol...@netnea.com twitter: @ChrFolini _______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
