[Owasp-modsecurity-core-rule-set] Paranoia Mode: Controversial candidate 960015 / 920300 and 960017 / 920350 (Header issues)

Christian Folini christian.folini at netnea.com
Tue Feb 2 08:32:57 UTC 2016


The discussion on these two rules can be combined, I think.

2.2.X rule 960015 (3.0.0rc1 rule 920300) "Request Missing an
Accept Header) is simple enough. Accept headers are mandatory
thus a client request lacking an accept header is thus illegal.

The problem: A lack of accept headers is widespread and ModSecurity
is not going to fix the internet. Instead, we are generating
false positives and pester our clients (if we block them based on 
this rule triggering).

Moving this false positives generator to the paranoia mode seems
a good move. But your view might vary.

With 960017 / 920350 (Host header is a numeric IP address), 
the situation is slightly different. We agree it is a frequent
source of false positives, but Walter thinks it is not legitimate
users that are affected, but mass scanners. In my experience
it is load balancers and health checkers which fall into this
category as well. And stopping scanners is possibly behind the
scope of a ModSec Core Rules vanilla install.

So what do we do with this rule?



mailto:christian.folini at netnea.com
twitter: @ChrFolini

More information about the Owasp-modsecurity-core-rule-set mailing list