[Owasp-modsecurity-core-rule-set] rule bypass question
Chris Datfung
chris.datfung at gmail.com
Sun Nov 29 10:41:56 EST 2009
I have the following in section H of an event that was a false positive:
Message: Operator GT matched 1 at TX:arg_name_menu. [file
"/opt/modsecurity/etc/crs/base_rules/modsecurity_crs_40_generic_attacks.conf"]
[line "28"] [msg "Possible HTTP Parameter Pollution Attack: Multiple
Parameters with the same Name."]
Message: Warning. Operator GE matched 5 at TX:anomaly_score. [file
"/opt/modsecurity/etc/crs/base_rules/modsecurity_crs_60_correlation.conf"]
[line "41"] [msg "Transactional Anomaly Score (score 20): Possible HTTP
Parameter Pollution Attack: Multiple Parameters with the same Name."]
Action: Intercepted (phase 2)
Apache-Handler: proxy-server
Stopwatch: 1259298234088338 14916 (181 11756 -)
Producer: ModSecurity for Apache/2.5.11 (http://www.modsecurity.org/); core
ruleset/2.0.3.
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8l
The rule at line 28 in modsecurity_crs_40_generic_attacks.conf does not have
a rule ID. The false positive appears in multiple parameters in the
/VulnScript.php script, so ideally, I'd like to add a SecRuleRemoveById
rule, which does not look like a possible in this case. I read the examples
in modsecurity_crs_48_local_exceptions.conf, but am still unclear how to
bypass this rule. Can someone point me in the right direction?
Thanks
Chris
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-modsecurity-core-rule-set/attachments/20091129/d664dd79/attachment.html
More information about the Owasp-modsecurity-core-rule-set
mailing list