[Owasp-modsecurity-core-rule-set] Missing Component Signature / Version Information in Blocking Rules

Heinrich M. heinrichm001 at t-online.de
Thu Nov 24 06:46:46 UTC 2016


Hi Christian,

thank you for the information and the grep command :-). 

After dealing with some other problems the last days, I'm back to
ModSec today. I will report everything I encounter.

Regards,

Heinrich

P.S. Going to switch to 3.0/dev for further testing.


Am Freitag, den 18.11.2016, 16:06 +0100 schrieb Christian Folini:
> Hello Heinrich,
> 
> Another well spotted bug. Thank you. It's funny how a new pair of
> eyes
> spots bugs in corners ignored by experienced users.
> 
> The support for the "ver" action is only partial. In fact there are
> more than only the blocking rules that come without the "ver" action.
> 
> I have opened a bug report for this issue:
> https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/650
> 
> I flagged it for CRS 3.1.0. There is a chance, this will be made
> available for 3.0.1, but I doubt it as it's quite a bit of work
> and not crucial for the correct functioning of the rule set.
> 
> In your situation, you are best off with the following construct
> including the mandaory regular expression : Note how the CRS rules
> are all in the 900K range, but we lately claimed the 9M range too;
> hence {5,6}.
> 
> $> cat error.log | egrep "id \"9[0-9]{5,6}\""
> 
> Keep these bug reports coming, please.
> 
> Best,
> 
> Christian
> 
> 
> 
> On Thu, Nov 17, 2016 at 02:27:14PM +0100, Heinrich M. wrote:
> > 
> > Hi,
> > 
> > while playing around with the rule set and adding some custom
> > rules, I
> > found that the blocking rules miss the version tag within Apache's
> > error log. Is there a reason for this? As fas as I could see, every
> > other rule is tagged with [ver "OWASP_CRS/3.0.0"] but I may be
> > missing
> > something. 
> > 
> > I'd like to grep for '[ver "OWASP_CRS/3.0.0"]' in order to separate
> > log
> > entries from custom rules from the CRS rules. I know that this can
> > also
> > be done by rule IDs but those regexes are hard ;-).
> > 
> > Regards,
> > 
> > Heinrich
> > _______________________________________________
> > Owasp-modsecurity-core-rule-set mailing list
> > Owasp-modsecurity-core-rule-set at lists.owasp.org
> > https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rul
> > e-set


More information about the Owasp-modsecurity-core-rule-set mailing list