[Owasp-modsecurity-core-rule-set] How to identify the rule that triggered

Lucas Ferreira listas at sapao.net
Thu Jan 14 13:01:24 EST 2010


I am getting some false positives like this one:

Jan 14 07:07:14 xxx httpd[7270]: [error] [client xxx] ModSecurity:
[file "/etc/httpd/modsecurity.d/base_rules/modsecurity_crs_49_enforcement.conf"]
[line "40"] [msg "XSS Detected (score 20): IE XSS Filters - Attack
Detected"] Access denied with code 403 (phase 2). Match of "eq 0"
against "TX:xss_score" required. [hostname "xxx"] [uri "xxx"]
[unique_id "No5ZTX8AAAEAABxmmuAAAABR"]

How can I identify which of the "IE XSS Filters - Attack Detected"
rules triggered?

I am using:
Producer: ModSecurity for Apache/2.5.9 (http://www.modsecurity.org/);
core ruleset/2.0.1; core ruleset/2.0.1.
Server: Apache/2.2.3 (CentOS)



Homo sapiens non urinat in ventum.

More information about the Owasp-modsecurity-core-rule-set mailing list