ConfigServer ModSec Control not working in some cases

These forums are not for questions about ModSecurity, just the cmc script itself
Carlos Martini
Junior Member
Posts: 4
Joined: 29 Feb 2012, 12:14
Location: Florianopolis, SC, Brazil
Contact:

ConfigServer ModSec Control not working in some cases

Post by Carlos Martini »

Hello,

We have some security rules deactivated in "ConfigServer ModSec Control". The problem is that even with the rules disabled there are still clients being blocked in our firewall because of them.

The rules are: 970901 and 981205

In our logs:

[Tue Feb 28 12:42:31 2012] [error] [client 200.193.0.106] ModSecurity: Access denied with code 403 (phase 4). Pattern match "^5\\\\d{2}$" at RESPONSE_STATUS. [file "/usr/local/apache/conf/modsecurity-crs/base_rules/modsecurity_crs_50_outbound.conf"] [line "53"] [id "970901"] [rev "2.2.2"] [msg "The application is not available"] [severity "ERROR"] [tag "WASCTC/WASC-13"] [tag "OWASP_TOP_10/A6"] [tag "PCI/6.5.6"] [hostname "www.XXXXXXXXXXX"] [uri "/favicon.ico"] [unique_id "T0z15zIWJcIACpn6LJoAAAAB"]

[Tue Feb 28 12:42:31 2012] [error] [client 200.193.0.106] ModSecurity: Warning. Operator GE matched 0 at TX:outbound_anomaly_score. [file "/usr/local/apache/conf/modsecurity-crs/base_rules/modsecurity_crs_60_correlation.conf"] [line "40"] [id "981205"] [msg "Outbound Anomaly Score Exceeded (score 0): The application is not available"] [hostname "www.XXXXXXXXXXX"] [uri "/favicon.ico"] [unique_id "T0z15zIWJcIACpn6LJoAAAAB"]

Please, what may be happening?

appds
Junior Member
Posts: 5
Joined: 23 Oct 2008, 22:41

Re: ConfigServer ModSec Control not working in some cases

Post by appds »

Same issue here.

Anyone knows how to fix it?

Sergio
Junior Member
Posts: 1383
Joined: 12 Dec 2006, 14:56

Re: ConfigServer ModSec Control not working in some cases

Post by Sergio »

What option did you use to white list that rules?

Sergio

Carlos Martini
Junior Member
Posts: 4
Joined: 29 Feb 2012, 12:14
Location: Florianopolis, SC, Brazil
Contact:

Re: ConfigServer ModSec Control not working in some cases

Post by Carlos Martini »

Hello,

Plugins > ConfigServer ModSec Control

Selected domain > Modify user whitelist

mod_security rule ID list:

970901
981205

Saved whitelist.

The same way we deactivated several other rules.

However, it seems that this problem only happens with these two rules.

A mod_security issue, maybe... ?

Sergio
Junior Member
Posts: 1383
Joined: 12 Dec 2006, 14:56

Re: ConfigServer ModSec Control not working in some cases

Post by Sergio »

Why don't you try to white list the rule via modsec2.whitelist.conf, using something like the example:
<LocationMatch /path_to_your_file.php>
SecRuleRemoveById 970901
SecRuleRemoveById 981205
</LocationMatch>
Sergio

Carlos Martini
Junior Member
Posts: 4
Joined: 29 Feb 2012, 12:14
Location: Florianopolis, SC, Brazil
Contact:

Re: ConfigServer ModSec Control not working in some cases

Post by Carlos Martini »

Hello,

Well, I know how to whitelist manually.

But the WHM plugin exists to make our lives easier, right? ;-)

The strange is that this isn't working only for these 2 rules...

chirpy
Moderator
Posts: 3537
Joined: 09 Dec 2006, 18:13

Re: ConfigServer ModSec Control not working in some cases

Post by chirpy »

Make sure that the whitelist line "Include /usr/local/apache/conf/modsec2.whitelist.conf" in modsec2.user.conf is the very first line in that file and then restart httpd. Other than that, I don't know why it wouldn' work.

Carlos Martini
Junior Member
Posts: 4
Joined: 29 Feb 2012, 12:14
Location: Florianopolis, SC, Brazil
Contact:

Re: ConfigServer ModSec Control not working in some cases

Post by Carlos Martini »

Sorry, I think you don't understand the case.

ConfigServer ModSec Control not working ONLY WITH 2 OR 3 RULES.

For ALL other rules, it works fine, normally.

There are no configuration error.

chirpy
Moderator
Posts: 3537
Joined: 09 Dec 2006, 18:13

Re: ConfigServer ModSec Control not working in some cases

Post by chirpy »

Then I have no idea why ModSecurity would not be ignoring the rules you have told it to ignore.

Sergio
Junior Member
Posts: 1383
Joined: 12 Dec 2006, 14:56

Re: ConfigServer ModSec Control not working in some cases

Post by Sergio »

Carlos,
can you share what is CMC showing you on the log for this rules?

Sergio

Post Reply