[Owasp-modsecurity-core-rule-set] Fix blocking issue

OSSEC junkie ossec.junkie at gmail.com
Tue Aug 25 15:39:53 EDT 2009


I was wondering if I could get some help here, I cant seem to figure out why
I'm getting blocked..well it's not really blocking but I know this is a
false positive but can't get the rule to work correctly:

>From the audit log:
--bec3cc26-A--
[21/Aug/2009:23:38:56 --0700] So at SgAoBBH0AAEt9FWoAAAAE 72.93.69.185 48517
10.1.4.125 80
--bec3cc26-B--
POST /sell/CheesePizza HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
application/x-shockwave-flash, */*
Referer: http://web.farm.org/sell/CheesePizza?topping=8&sauce=ONE&method=23
Accept-Language: en-us
Content-Type: application/x-www-form-urlencoded
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR
1.1.4322)
Host: web.farm.org
Content-Length: 461
Connection: Keep-Alive
Cache-Control: no-cache
Cookie:
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX;


--bec3cc26-C--
prevtrxstate=8&user_preference=S_tomcat_wfarm02_1247457979602_378637%7CS%7Ctomcat_wfarm02%
7Cweb.farm.org
%7Cen%7CUS%7Cnull%7CMLB%7C&=&topping=&sauce=&method=&area=23&=&comments=all&discount=6&year=2009&appetizer=&desert=RSAL&error_check=null&pasta=null&sandwich=null&cheesetype=false&wid=8323416&complete=0
--bec3cc26-F--
HTTP/1.1 200 OK
Vary: Accept-Encoding,User-Agent
Content-Encoding: gzip
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html;charset=UTF-8

--bec3cc26-H--
Message: Warning. Unconditional match in SecAction. [file
"/web/root/apache/conf.d/modsecurity/modsecurity_crs_41_xss_attacks.conf"]
[line "15"]
Apache-Handler: jakarta-servlet
Stopwatch: 1250923136064289 175742 (338* 6749 166779)
Producer: ModSecurity for Apache/2.5.9 (http://www.modsecurity.org/); core
ruleset/2.0.1.
Server: Apache/2.2.11 (Unix)

--bec3cc26-K--
SecAction
"phase:1,t:none,pass,nolog,initcol:global=global,initcol:ip=%{remote_addr}"
SecRule
"REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer"
"@pmFromFile modsecurity_40_generic_attacks.data"
"phase:2,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,nolog,pass,setvar:tx.pm_score=+1,setvar:tx.pm_data_%{matched_var_name}=%{matched_var}"
SecRule
"REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer"
"@pmFromFile modsecurity_40_generic_attacks.data"
"phase:2,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,nolog,pass,setvar:tx.pm_score=+1,setvar:tx.pm_data_%{matched_var_name}=%{matched_var}"
SecRule
"REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer"
"@pmFromFile modsecurity_40_generic_attacks.data"
"phase:2,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,nolog,pass,setvar:tx.pm_score=+1,setvar:tx.pm_data_%{matched_var_name}=%{matched_var}"
SecRule
"REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer"
"@pmFromFile modsecurity_40_generic_attacks.data"
"phase:2,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,nolog,pass,setvar:tx.pm_score=+1,setvar:tx.pm_data_%{matched_var_name}=%{matched_var}"
SecRule
"REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer"
"@pmFromFile modsecurity_40_generic_attacks.data"
"phase:2,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,nolog,pass,setvar:tx.pm_score=+1,setvar:tx.pm_data_%{matched_var_name}=%{matched_var}"
SecRule
"REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer"
"@pmFromFile modsecurity_40_generic_attacks.data"
"phase:2,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,nolog,pass,setvar:tx.pm_score=+1,setvar:tx.pm_data_%{matched_var_name}=%{matched_var}"
SecRule
"REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer"
"@pmFromFile modsecurity_40_generic_attacks.data"
"phase:2,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,nolog,pass,setvar:tx.pm_score=+1,setvar:tx.pm_data_%{matched_var_name}=%{matched_var}"
SecRule
"REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer"
"@pmFromFile modsecurity_40_generic_attacks.data"
"phase:2,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,nolog,pass,setvar:tx.pm_score=+1,setvar:tx.pm_data_%{matched_var_name}=%{matched_var}"
SecRule
"REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer"
"@pmFromFile modsecurity_40_generic_attacks.data"
"phase:2,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,nolog,pass,setvar:tx.pm_score=+1,setvar:tx.pm_data_%{matched_var_name}=%{matched_var}"
SecAction "phase:2,log,skipAfter:END_XSS_REGEX"

--bec3cc26-Z--
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-modsecurity-core-rule-set/attachments/20090825/63b3c856/attachment.html 


More information about the Owasp-modsecurity-core-rule-set mailing list