[Owasp-modsecurity-core-rule-set] "document.gif" got denied after update ModSecurity to 2.5.10 with Core Rules v2
Ryan.Barnett at breach.com
Wed Nov 11 12:23:44 EST 2009
Check in the modsec_audit.log file to see what the Message details are in section H. This will show you exactly which rules were triggering and what portion of data matched. i am guessing it is the "document." data. What you will want to do is to create an exception in the modsecurity_crs_48_local_exceptions.conf file. Take a look at the commented out examples in the file for guidance on what rule to use. Basically, you will want to create a rule that will inspect the TX variable data from the previous XSS rule that matched. You do this by specifying the correct rule id, and matched variable location and payload. If all of this matches (which is a false positive in your case) you then simply expire that TX variable and decrement the anomaly score.
Let me know if you need any more help.
From: owasp-modsecurity-core-rule-set-bounces at lists.owasp.org [owasp-modsecurity-core-rule-set-bounces at lists.owasp.org] On Behalf Of DarkRanger DarkRanger [darkranger_red at hotmail.com]
Sent: Wednesday, November 11, 2009 12:15 PM
To: owasp-modsecurity-core-rule-set at lists.owasp.org
Subject: [Owasp-modsecurity-core-rule-set] "document.gif" got denied after update ModSecurity to 2.5.10 with Core Rules v2
File form here:
Here's my log:
[Thu Nov 12 00:26:05 2009] [error] [client 184.108.40.206] ModSecurity: Warning. Operator GE matched 5 at TX:anomaly_score. [file "/etc/httpd/modsecurity.d/base_rules/modsecurity_crs_60_correlation.conf"] [line "41"] [msg "Transactional Anomaly Score (score 20): Detects very basic XSS probings"] [hostname "darkranger.no-ip.org"] [uri "/image/document.gif"] [unique_id "SvrlnX8AAAEAAC0TRNwAAAAA"]
I guess this GIF file is just denied by name, because if I rename it to "document2.gif" and got passed. So how to fix in modsecurity?
嶄新的 Windows 7：找出適合您的電腦。 深入了解。<http://windows.microsoft.com/shop>
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Owasp-modsecurity-core-rule-set