owasp-modsecurity-crs | OWASP ModSecurity Core Rule Set (CRS) Project (Official Repository) | Cybersecurity library

 by   SpiderLabs Perl Version: v3.2.0 License: Apache-2.0

kandi X-RAY | owasp-modsecurity-crs Summary

kandi X-RAY | owasp-modsecurity-crs Summary

owasp-modsecurity-crs is a Perl library typically used in Security, Cybersecurity, Nodejs, Docker applications. owasp-modsecurity-crs has no bugs, it has no vulnerabilities, it has a Permissive License and it has medium support. You can download it from GitHub.

The OWASP ModSecurity Core Rule Set (CRS) has moved to
Support
    Quality
      Security
        License
          Reuse

            kandi-support Support

              owasp-modsecurity-crs has a medium active ecosystem.
              It has 2394 star(s) with 745 fork(s). There are 242 watchers for this library.
              OutlinedDot
              It had no major release in the last 12 months.
              There are 39 open issues and 927 have been closed. On average issues are closed in 303 days. There are 9 open pull requests and 0 closed requests.
              It has a neutral sentiment in the developer community.
              The latest version of owasp-modsecurity-crs is v3.2.0

            kandi-Quality Quality

              owasp-modsecurity-crs has 0 bugs and 0 code smells.

            kandi-Security Security

              owasp-modsecurity-crs has no vulnerabilities reported, and its dependent libraries have no vulnerabilities reported.
              owasp-modsecurity-crs code analysis shows 0 unresolved vulnerabilities.
              There are 0 security hotspots that need review.

            kandi-License License

              owasp-modsecurity-crs is licensed under the Apache-2.0 License. This license is Permissive.
              Permissive licenses have the least restrictions, and you can use them in most projects.

            kandi-Reuse Reuse

              owasp-modsecurity-crs releases are available to install and integrate.
              It has 453 lines of code, 23 functions and 13 files.
              It has high code complexity. Code complexity directly impacts maintainability of the code.

            Top functions reviewed by kandi - BETA

            kandi's functional review helps you automatically verify the functionalities of the libraries and avoid rework.
            Currently covering the most popular Java, JavaScript and Python libraries. See a Sample of owasp-modsecurity-crs
            Get all kandi verified functions for this library.

            owasp-modsecurity-crs Key Features

            No Key Features are available at this moment for owasp-modsecurity-crs.

            owasp-modsecurity-crs Examples and Code Snippets

            No Code Snippets are available at this moment for owasp-modsecurity-crs.

            Community Discussions

            QUESTION

            ModSecurity not putting some transactions to audit log
            Asked 2022-Mar-14 at 08:56

            We are facing a problem when in certain cases ModSecurity is not tracking the blocking in the audit log despite we have set it as a default action and the rule is not having any logging property set. In the error log, we can see only the rule which was triggered due to the anomaly score has been reached but nothing about the rules which actually counted the score. In some other cases, this information is visible.

            In modsecurity.conf we have logging of rules enabled

            ...

            ANSWER

            Answered 2022-Mar-14 at 08:56

            It is a bug that is presented in ModSecurity 3.0.6 when used along with Nginx.

            The resolution is either not to use custom error_page in Nginx configuration or to recompile the current solution with this fix https://github.com/SpiderLabs/ModSecurity-nginx/pull/273

            Source https://stackoverflow.com/questions/71422368

            QUESTION

            Modsecurity OWASP Core Rule Set - base64 false positive rule 941170
            Asked 2021-Oct-27 at 12:53

            We use ModSecurity 3.X for NGIX with the OWASP core rule set.

            We have a problem with image in base64 and the rule 941170.

            The pattern of the rule is

            ...

            ANSWER

            Answered 2021-Oct-27 at 12:53

            The SecRuleUpdateTargetById rule exclusion you provided looks good to me.

            To be clear, the effect of that rule exclusion is:

            • Rule 941170 no longer applies to the screen argument
            • Rule 941170 still applies to all other arguments as usual
            • All other rules still apply to all arguments, including screen, as usual

            Is there a reason you're not happy with this?

            If you're running a super-high security setup which means that the SecRuleUpdateTargetById rule exclusion is too coarse, two suggestions I would make:

            • If appropriate for your web application, limit the rule exclusion for rule 941170 to only apply to the screen argument and only for a given location (for example, only for requests to /login.php)

            • Limit the rule exclusion for rule 941170 to only apply to the screen argument and only when screen begins with the string data:image/jpeg;base64

            You could even combine both of those suggestions to be extremely specific.

            If either, or both, of those sound applicable to your situation, let me know if you would like help to put those rule exclusions together.

            Also, what paranoia level are you currently running in, out of interest?

            Regarding your suggestion to modify rule 941170's regular expression, it's a bad idea to directly modify third-party rules, such as the Core Rule Set rules. You essentially end up creating your own fork of the rule set, and you're left with the responsibility for maintaining any modifications you make. Upgrading the rule set would become difficult: you would have to remember to keep re-applying, and possibly change, your modifications. In short: rule exclusions are the way to go!

            Update

            The second rule exclusion described above may look something like this:

            Source https://stackoverflow.com/questions/69476974

            QUESTION

            OWASP corerulet warning "invalid http request line" triggered by CONNECT method
            Asked 2021-Oct-13 at 21:58

            Summary:

            I have setup a basic WAF with mod-security and the OWASP coreruleset 3.3.2. When using the WAF I see lots of warnings in modsec_audit.log regarding the CONNECT method, which trigger crs rule 920100:

            Message: Warning. Match of "rx ^(?i:(?:[a-z]{3,10}\s+(?:\w{3,7}?://[\w\-\./](?::\d+)?)?/[^?#](?:\?[^#\s])?(?:#[\S])?|connect (?:\d{1,3}\.){3}\d{1,3}\.?(?::\d+)?|options \)\s+[\w\./]+|get /[^?#](?:\?[^#\s])?(?:#[\S])?)$" against "REQUEST_LINE" required. [file "/etc/httpd/modsecurity.d/owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "63"] [id "920100"] [msg "Invalid HTTP Request Line"] [data "CONNECT oneofmy.longer.hostname.here.abcde.com:443 HTTP/1.1"] [severity "WARNING"] [ver "OWASP_CRS/3.3.2"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/210/272"]

            Details regarding setup: I set up the WAF with mod_security 2.9.2 and httpd. I used the crs-setup.conf.example provided by crs and only modified these two settings regarding threshhold and allowing the CONNECT http method. (CONNECT method is used in our setup for proxy purposes).

            ...

            ANSWER

            Answered 2021-Oct-13 at 21:58

            Looking at the part of the regular expression for rule 920100 that deals with the CONNECT method:

            Source https://stackoverflow.com/questions/69434637

            QUESTION

            Modesecurity: Create SecRule exclusion for REQUEST_HEADERS:Transfer-Encoding
            Asked 2021-Jun-07 at 08:00

            I want to create an exclusion to disable specific rule (ID:920180) in my system. how should i write the syntax in REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf

            Here my exclusion but I'm not sure fully covered to disable it:

            ...

            ANSWER

            Answered 2021-Jun-03 at 14:46

            Your exclusion rule is almost correct. But the & in front of REQUEST_HEADERS:Transfer-Encoding is missing.

            &REQUEST_HEADERS:Transfer-Encoding (with the ampersand) counts the numbers of Transfer-Encoding headers.

            Without the & (ampersand), the content of the Transfer-Encoding header is compared to the value 0.

            I'm not sure whether you really want to remove the rule in general for nonexistent Transfer-Encoding headers, or whether you want to restrict this to certain clients (IP addresses, user agents, ...). But that is your decision. I don't know exactly what you need.

            But in any case, this exclusion rule will now work.

            By the way: The current OWASP Core Rule Set repository is https://github.com/coreruleset/coreruleset/.

            Source https://stackoverflow.com/questions/67819948

            QUESTION

            ModSecurity subrequest whitelist
            Asked 2020-Jul-28 at 13:36

            I have Nginx with ModSecurity and the OWASP CRS setup being used as a reverse proxy to a couple different web servers. I am using add_after_body /gdprmessage.html; to append a GDPR acceptance to every page. Everything works fairly well, but occasionally on POST requests, the resulting page will render an ugly 403 error rather than my GDPR message. I get this message in the logs:

            ...

            ANSWER

            Answered 2020-Jul-28 at 13:36

            I was trying to solve the issue with a ModSecurity exception. It turns out, the answer was simply adding modsecurity off to the location.

            If it helps anyone else, here is my GDPR snippet that include in my site definitions:

            Source https://stackoverflow.com/questions/63084317

            QUESTION

            Python get data from Elasticsearch
            Asked 2020-Mar-28 at 11:50

            I have a json log of modsecurity nginx. I have sent it to Elasticsearch. Now I want write a python script to get data from Elasticsearch and use this to trigger Zabbix monitor.

            But I am confused with this. Here is my data when I get it to Elasticsearch

            ...

            ANSWER

            Answered 2020-Mar-17 at 07:47

            Easy way in Python using json module

            Source https://stackoverflow.com/questions/60717452

            Community Discussions, Code Snippets contain sources that include Stack Exchange Network

            Vulnerabilities

            No vulnerabilities reported

            Install owasp-modsecurity-crs

            You can download it from GitHub.

            Support

            We strive to make the OWASP ModSecurity CRS accessible to a wide audience of beginner and experienced users. We are interested in hearing any bug reports, false positive alert reports, evasions, usability issues, and suggestions for new detections. Create an issue on GitHub to report a false positive or false negative (evasion). Please include your installed version and the relevant portions of your ModSecurity audit log. Sign up for our Google Group to ask general usage questions and participate in discussions on the CRS. Also here you can find the archives for the previous mailing list. Join the #coreruleset channel on OWASP Slack to chat about the CRS.
            Find more information at:

            Find, review, and download reusable Libraries, Code Snippets, Cloud APIs from over 650 million Knowledge Items

            Find more libraries
            CLONE
          • HTTPS

            https://github.com/SpiderLabs/owasp-modsecurity-crs.git

          • CLI

            gh repo clone SpiderLabs/owasp-modsecurity-crs

          • sshUrl

            git@github.com:SpiderLabs/owasp-modsecurity-crs.git

          • Stay Updated

            Subscribe to our newsletter for trending solutions and developer bootcamps

            Agree to Sign up and Terms & Conditions

            Share this Page

            share link

            Explore Related Topics

            Consider Popular Cybersecurity Libraries

            Try Top Libraries by SpiderLabs

            ModSecurity

            by SpiderLabsC++

            Responder

            by SpiderLabsPython

            ModSecurity-nginx

            by SpiderLabsPerl

            HostHunter

            by SpiderLabsPython

            portia

            by SpiderLabsPowerShell