[Owasp-modsecurity-core-rule-set] "document.gif" got denied after update ModSecurity to 2.5.10 with Core Rules v2

Ryan Barnett Ryan.Barnett at breach.com
Wed Nov 11 12:23:44 EST 2009 

Check in the modsec_audit.log file to see what the Message details are in section H.  This will show you exactly which rules were triggering and what portion of data matched.  i am guessing it is the "document." data.  What you will want to do is to create an exception in the modsecurity_crs_48_local_exceptions.conf file.  Take a look at the commented out examples in the file for guidance on what rule to use.  Basically, you will want to create a rule that will inspect the TX variable data from the previous XSS rule that matched.  You do this by specifying the correct rule id, and matched variable location and payload.  If all of this matches (which is a false positive in your case) you then simply expire that TX variable and decrement the anomaly score.

Let me know if you need any more help.

-Ryan

________________________________
From: owasp-modsecurity-core-rule-set-bounces at lists.owasp.org [owasp-modsecurity-core-rule-set-bounces at lists.owasp.org] On Behalf Of DarkRanger DarkRanger [darkranger_red at hotmail.com]
Sent: Wednesday, November 11, 2009 12:15 PM
To: owasp-modsecurity-core-rule-set at lists.owasp.org
Subject: [Owasp-modsecurity-core-rule-set] "document.gif" got denied after update ModSecurity to 2.5.10 with Core Rules v2

File form here:
http://koji.fedoraproject.org/koji/buildinfo?buildID=140180

Here's my log:

[Thu Nov 12 00:26:05 2009] [error] [client 61.64.173.115] ModSecurity: Warning. Operator GE matched 5 at TX:anomaly_score. [file "/etc/httpd/modsecurity.d/base_rules/modsecurity_crs_60_correlation.conf"] [line "41"] [msg "Transactional Anomaly Score (score 20): Detects very basic XSS probings"] [hostname "darkranger.no-ip.org"] [uri "/image/document.gif"] [unique_id "SvrlnX8AAAEAAC0TRNwAAAAA"]

I guess this GIF file is just denied by name, because if I rename it to "document2.gif" and got passed. So how to fix in modsecurity?

________________________________
嶄新的 Windows 7:找出適合您的電腦。 深入了解。<http://windows.microsoft.com/shop>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-modsecurity-core-rule-set/attachments/20091111/ab397f46/attachment.html

More information about the Owasp-modsecurity-core-rule-set mailing list