owasp-modsecurity-crs | OWASP ModSecurity Core Rule Set (CRS) Project (Official Repository) | Cybersecurity library
kandi X-RAY | owasp-modsecurity-crs Summary
kandi X-RAY | owasp-modsecurity-crs Summary
The OWASP ModSecurity Core Rule Set (CRS) has moved to
Support
Quality
Security
License
Reuse
Top functions reviewed by kandi - BETA
Currently covering the most popular Java, JavaScript and Python libraries. See a Sample of owasp-modsecurity-crs
owasp-modsecurity-crs Key Features
owasp-modsecurity-crs Examples and Code Snippets
Community Discussions
Trending Discussions on owasp-modsecurity-crs
QUESTION
We are facing a problem when in certain cases ModSecurity is not tracking the blocking in the audit log despite we have set it as a default action and the rule is not having any logging property set. In the error log, we can see only the rule which was triggered due to the anomaly score has been reached but nothing about the rules which actually counted the score. In some other cases, this information is visible.
In modsecurity.conf we have logging of rules enabled
...ANSWER
Answered 2022-Mar-14 at 08:56It is a bug that is presented in ModSecurity 3.0.6 when used along with Nginx.
The resolution is either not to use custom error_page in Nginx configuration or to recompile the current solution with this fix https://github.com/SpiderLabs/ModSecurity-nginx/pull/273
QUESTION
We use ModSecurity 3.X for NGIX with the OWASP core rule set.
We have a problem with image in base64 and the rule 941170.
The pattern of the rule is
...ANSWER
Answered 2021-Oct-27 at 12:53The SecRuleUpdateTargetById rule exclusion you provided looks good to me.
To be clear, the effect of that rule exclusion is:
- Rule 941170 no longer applies to the
screenargument - Rule 941170 still applies to all other arguments as usual
- All other rules still apply to all arguments, including
screen, as usual
Is there a reason you're not happy with this?
If you're running a super-high security setup which means that the SecRuleUpdateTargetById rule exclusion is too coarse, two suggestions I would make:
If appropriate for your web application, limit the rule exclusion for rule 941170 to only apply to the
screenargument and only for a given location (for example, only for requests to/login.php)Limit the rule exclusion for rule 941170 to only apply to the
screenargument and only whenscreenbegins with the stringdata:image/jpeg;base64
You could even combine both of those suggestions to be extremely specific.
If either, or both, of those sound applicable to your situation, let me know if you would like help to put those rule exclusions together.
Also, what paranoia level are you currently running in, out of interest?
Regarding your suggestion to modify rule 941170's regular expression, it's a bad idea to directly modify third-party rules, such as the Core Rule Set rules. You essentially end up creating your own fork of the rule set, and you're left with the responsibility for maintaining any modifications you make. Upgrading the rule set would become difficult: you would have to remember to keep re-applying, and possibly change, your modifications. In short: rule exclusions are the way to go!
UpdateThe second rule exclusion described above may look something like this:
QUESTION
Summary:
I have setup a basic WAF with mod-security and the OWASP coreruleset 3.3.2. When using the WAF I see lots of warnings in modsec_audit.log regarding the CONNECT method, which trigger crs rule 920100:
Message: Warning. Match of "rx ^(?i:(?:[a-z]{3,10}\s+(?:\w{3,7}?://[\w\-\./](?::\d+)?)?/[^?#](?:\?[^#\s])?(?:#[\S])?|connect (?:\d{1,3}\.){3}\d{1,3}\.?(?::\d+)?|options \)\s+[\w\./]+|get /[^?#](?:\?[^#\s])?(?:#[\S])?)$" against "REQUEST_LINE" required. [file "/etc/httpd/modsecurity.d/owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "63"] [id "920100"] [msg "Invalid HTTP Request Line"] [data "CONNECT oneofmy.longer.hostname.here.abcde.com:443 HTTP/1.1"] [severity "WARNING"] [ver "OWASP_CRS/3.3.2"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/210/272"]
Details regarding setup:
I set up the WAF with mod_security 2.9.2 and httpd. I used the crs-setup.conf.example provided by crs and only modified these two settings regarding threshhold and allowing the CONNECT http method. (CONNECT method is used in our setup for proxy purposes).
ANSWER
Answered 2021-Oct-13 at 21:58Looking at the part of the regular expression for rule 920100 that deals with the CONNECT method:
QUESTION
I want to create an exclusion to disable specific rule (ID:920180) in my system. how should i write the syntax in REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf
Here my exclusion but I'm not sure fully covered to disable it:
...ANSWER
Answered 2021-Jun-03 at 14:46Your exclusion rule is almost correct. But the & in front of REQUEST_HEADERS:Transfer-Encoding is missing.
&REQUEST_HEADERS:Transfer-Encoding (with the ampersand) counts the numbers of Transfer-Encoding headers.
Without the & (ampersand), the content of the Transfer-Encoding header is compared to the value 0.
I'm not sure whether you really want to remove the rule in general for nonexistent Transfer-Encoding headers, or whether you want to restrict this to certain clients (IP addresses, user agents, ...). But that is your decision. I don't know exactly what you need.
But in any case, this exclusion rule will now work.
By the way: The current OWASP Core Rule Set repository is https://github.com/coreruleset/coreruleset/.
QUESTION
I have Nginx with ModSecurity and the OWASP CRS setup being used as a reverse proxy to a couple different web servers. I am using add_after_body /gdprmessage.html; to append a GDPR acceptance to every page. Everything works fairly well, but occasionally on POST requests, the resulting page will render an ugly 403 error rather than my GDPR message. I get this message in the logs:
ANSWER
Answered 2020-Jul-28 at 13:36I was trying to solve the issue with a ModSecurity exception. It turns out, the answer was simply adding modsecurity off to the location.
If it helps anyone else, here is my GDPR snippet that include in my site definitions:
QUESTION
I have a json log of modsecurity nginx. I have sent it to Elasticsearch. Now I want write a python script to get data from Elasticsearch and use this to trigger Zabbix monitor.
But I am confused with this. Here is my data when I get it to Elasticsearch
...ANSWER
Answered 2020-Mar-17 at 07:47Easy way in Python using json module
Community Discussions, Code Snippets contain sources that include Stack Exchange Network
Vulnerabilities
No vulnerabilities reported
Install owasp-modsecurity-crs
Support
Reuse Trending Solutions
Find, review, and download reusable Libraries, Code Snippets, Cloud APIs from over 650 million Knowledge Items
Find more librariesStay Updated
Subscribe to our newsletter for trending solutions and developer bootcamps
Share this Page
