[Owasp-modsecurity-core-rule-set] [mod-security-users] crs ruleset and trace method?

Christian Folini christian.folini at netnea.com
Wed Mar 21 10:25:10 UTC 2018


Hello Eero,

On Wed, Mar 21, 2018 at 12:11:15PM +0200, Eero Volotinen wrote:
> Just wondering, that there is no any rule to block trace in crs. is there
> easy way to implement that?

You can blog TRACE in 3 ways in Apache:
- TraceEnable Off (-> This is the default in 2.4)
- mod_allowmethods (never did this with TRACE. Maybe it has special treatment.
  better check.)
- Write ModSec Rule in phase 1 (Take existing CRS rule as a base or look
  at ModSec integration tutorial at netnea.com and take the method check
  in the whitelisting example)

Cheers,

Christian


> 
> --
> Eero
> 
> On Wed, Mar 21, 2018 at 11:53 AM, Christian Folini <
> christian.folini at netnea.com> wrote:
> 
> > Hey Eero,
> >
> > The TRACE method is somewhat special. At least in Apache. The request
> > skips phase 2 and thus the CRS rule covering tx.allowed_methods.
> >
> > There are discussions to move this block of rules to phase 1 though.
> > https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/1015
> >
> > You may want to chime in there.
> >
> > Ahoj,
> >
> > Christian
> >
> > On Wed, Mar 21, 2018 at 09:15:52AM +0200, Eero Volotinen wrote:
> > > Hi,
> > >
> > > Just noticed that crs ruleset is not blocking trace method, even
> > > setvar:'tx.allowed_methods=GET POST'"
> > >
> > > Is this a bug?
> > >
> > > Eero
> >
> > > ------------------------------------------------------------
> > ------------------
> > > Check out the vibrant tech community on one of the world's most
> > > engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> >
> > > _______________________________________________
> > > mod-security-users mailing list
> > > mod-security-users at lists.sourceforge.net
> > > https://lists.sourceforge.net/lists/listinfo/mod-security-users
> > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> > > http://www.modsecurity.org/projects/commercial/rules/
> > > http://www.modsecurity.org/projects/commercial/support/
> >
> >
> > --
> > https://www.feistyduck.com/training/modsecurity-training-course
> > https://www.feistyduck.com/books/modsecurity-handbook/
> > mailto:christian.folini at netnea.com
> > twitter: @ChrFolini
> >
> > ------------------------------------------------------------
> > ------------------
> > Check out the vibrant tech community on one of the world's most
> > engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> > _______________________________________________
> > mod-security-users mailing list
> > mod-security-users at lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/mod-security-users
> > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> > http://www.modsecurity.org/projects/commercial/rules/
> > http://www.modsecurity.org/projects/commercial/support/
> >

> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot

> _______________________________________________
> mod-security-users mailing list
> mod-security-users at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> http://www.modsecurity.org/projects/commercial/rules/
> http://www.modsecurity.org/projects/commercial/support/


-- 
https://www.feistyduck.com/training/modsecurity-training-course
https://www.feistyduck.com/books/modsecurity-handbook/
mailto:christian.folini at netnea.com
twitter: @ChrFolini


More information about the Owasp-modsecurity-core-rule-set mailing list