Re: [Owasp-modsecurity-core-rule-set] Remove rule 970901 - CRS 2.2.8

Wed, 23 Aug 2017 13:44:22 -0700 

On Wed, Aug 23, 2017 at 10:31:17PM +0200, Osama Elnaggar wrote:
>    Try changing the phase to phase 1 as phase 4 rules are for processing the
>    response body and the request has already reached your backend by phase 4.

Yeah, but the rule in question is also phase 4:

modsecurity_crs_50_outbound.conf:

SecRule RESPONSE_STATUS "^5\d{2}$"
"phase:4,rev:'2',ver:'OWASP_CRS/2.2.7',maturity:'9',accuracy:'9',t:none,capture,ctl:auditLogParts=+E,block,msg:'The
application is not available',logdata:'Matched Data: %{TX.0} found
within %{MATCHED_VAR_NAME}:
%{MATCHED_VAR}',id:'970901',tag:'WASCTC/WASC-13',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.6',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+%{tx.error_anomaly_score},setvar:tx.%{rule.id}-AVAILABILITY/APP_NOT_AVAIL-%{matched_var_name}=%{tx.0}"

Not sure where the problem is.

I'm tempted to say that an upgrade to CRS3 is likely to solve the
problem, though.

Ahoj,

Christian


>    -- 
>    Osama Elnaggar
> 
>    On August 24, 2017 at 6:20:26 AM, Cristiano Galdino
>    (cristiano.gald...@gmail.com) wrote:
> 
>      Hi!
>      I have an application
>      â**returning status 500 and I can not fix it or take it out. I try
>      disable rule 970901 but
>      â** â**
>      modsecurity keeps logging events
>      â**.â**
>      â**
>      File:
>      â**modsecurity_crs_15_local_exceptions.conf
>      SecRule REQUEST_FILENAME "@beginsWith /monitor/" \
>      "id:2500,phase:4,nolog,noauditlog,t:none,t:lowercase,msg:'Desativa
>      regras de para o contexto SIPAG-MONITOR-WEB',pass, \
>      ctl:ruleRemoveById=970901"
>      What can I do?
> 
>      â**Tks!â**
> 
>      --
>      Cristiano Galdino - cristi...@galdino.net
>      http://cristiano.galdino.net
>      _______________________________________________
>      Owasp-modsecurity-core-rule-set mailing list
>      Owasp-modsecurity-core-rule-set@lists.owasp.org
>      https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set

> _______________________________________________
> Owasp-modsecurity-core-rule-set mailing list
> Owasp-modsecurity-core-rule-set@lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set


-- 
ModSecurity courses Oct 2017 in London and Zurich
https://www.feistyduck.com/training/modsecurity-training-course
https://www.feistyduck.com/books/modsecurity-handbook/
mailto:christian.fol...@netnea.com
twitter: @ChrFolini
_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
Owasp-modsecurity-core-rule-set@lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set

Reply via email to