[Owasp-modsecurity-core-rule-set] Rule 950907 regex issue?

Hi - I'm pretty new to modsecurity configuration but I think I found a problem with one of the rules. SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "(?:(?:[\;\|\`]\W*?\bcc|\b(wget|curl))\b|\/cc(?:[\'\"\|\;\`\-\s]|$))" \ "phase:2,rev:'2.1.2',capture,t:none,t:normalisePath,t:low

[Owasp-modsecurity-core-rule-set] Testing Custom Rules

Hi - I have some custom rules I'd like to create and I'm looking for a test engine to drive the rules and ensure I'm getting the expected results. I checked the FAQ and found this question that directly relates: How do I handle False Positives and creating Custom Rules? It is inevitable; you

Re: [Owasp-modsecurity-core-rule-set] Testing Custom Rules

. An extension might be to connect > to the > AuditConsole and check the resulting "newly created" audit log events for the > requests > that are injected for testing. > > If that sounds interesting to you, just drop me a line. I'd be happy to > include such &

Re: [Owasp-modsecurity-core-rule-set] Testing Custom Rules

t for the most recent rules and then releasing it in > the CRS util directory. > > I will send more info soon. > > Ryan > > On May 5, 2011, at 11:54 AM, "Ken Brucker" > mailto:k...@pumastudios.com>> wrote: > > Hi - I have some custom rules I&#

[Owasp-modsecurity-core-rule-set] OWASP CRS Version 3.0 RC1 Rules 930100, 930110

I have V3 rules running in a test environment playing with how it interacts with WordPress. My early investigation is showing a few rules that need to be addressed to allow code, sql examples etc. to be included in a post, nothing overly surprising. I have a question about the construction of r

[Owasp-modsecurity-core-rule-set] CRS Version 3.0 RC1 Rules 930100, 930110 definitions

[ Not sure my first try posting made it through, I see it in the archive, but have had no response which I find odd. ] I have V3 rules running in a test environment playing with how it interacts with WordPress. My early investigation is showing a few rules that need to be addressed to allow cod

[Owasp-modsecurity-core-rule-set] OWASP CRS v3.0 False Positive rule 920120

Playing with OWASP CRS v3.0 and have a false positive on rule 920120. The application is Picasa (no longer available from Google). During file uploads it produces the failing pattern when communicating with the target website. I have no control over the application end of this and there's no hop

Re: [Owasp-modsecurity-core-rule-set] CRS Version 3.0 RC1 Rules 930100, 930110 definitions

uleUpdateTargetById 930100 REQUEST_URI REQUEST_FILENAME > > #Also add in ARGS > SecRuleUpdateTargetById 930100 ARGS > > Or use ctl:ruleRemoveById version to only do this for certain URLs. > > Thanks, > Barry > > On 4 Sep 2016, at 18:25, Christian Folini <mailto:

Re: [Owasp-modsecurity-core-rule-set] OWASP CRS v3.0 False Positive rule 920120

c=0 Producer: ModSecurity for Apache/2.9.1 (http://www.modsecurity.org/); OWASP_CRS/3.0.0. Server: Apache/2.4.23 (Ubuntu) Engine-Mode: "ENABLED" --0c41777f-J-- 4,133750,"IMG_6822.JPG","" Total,133750 --0c41777f-Z-- > On Sep 5, 2016, at 4:09 AM, Christian Folini > wrote: > >

[Owasp-modsecurity-core-rule-set] CRS v3.0 Wordpress False Positives

I see a variety of false positives with WordPress and CRS v3.0. In light of Issue 527 (Policy for handling app specific FPs) should I be filing a github issue for each of them that I've seen? There are a number of easy to create F

Re: [Owasp-modsecurity-core-rule-set] CRS v3.0 Wordpress False Positives

amount of work you are willing to invest. > > Ahoj, > > Christian > > > > On Mon, Sep 05, 2016 at 12:23:44PM -0700, Ken Brucker wrote: >> I see a variety of false positives with WordPress and CRS v3.0. >> >> In light of Issue 527 >> <https://github

[Owasp-modsecurity-core-rule-set] RegEx in CRS 3.0.2 942200 too broad?

I've been looking at some false positives related to rule 942200. Side note, I'm running CRS 3.0.2 but the rules still have a version 3.0.0 tag. I was surprised to see that. Here's an exemplar from the audit file: Message: Warning. Pattern match "(?i:(?:,.*?[)\\da-f\"'`][\"'`](?:[\"'`].*?[\"'`