disable rule not work

These forums are not for questions about ModSecurity, just the cmc script itself
13 posts Page 1 of 2
webstyler
Junior Member
Posts: 41
Joined: 15 Apr 2008, 23:40


Hello

We have a ton of false positive with rules 340206 under "/usr/local/apache/conf/modsec_rules/70_asl_csrf_experimental.conf"

So, we have first try to disable rule for user : not work
after, we try to disable rule for user and domain : not work
after, we try to disable rule globally : not work

Best regards
Sergio
Junior Member
Posts: 1366
Joined: 12 Dec 2006, 14:56


If you are using the payed rules, you have to be aware that some rules only work with ASL HARDENING, and the set of 70_asl_csrf_experimental.conf is one of them and is not needed with CSF, you can delete that set of rules. You can contact ASL support and they will confirm this.

Sergio
webstyler
Junior Member
Posts: 41
Joined: 15 Apr 2008, 23:40


Hi
Same issue on other server, but this time rules is standard cpanel (960032)
We whitelist but still ignored
:/
Sergio
Junior Member
Posts: 1366
Joined: 12 Dec 2006, 14:56


Try the following:
- Enter into CSF GUI and go to "SEARCH SYSTEM LOGS".
- Select the first log option "/usr/local/apache/logs/error_logs"
- Search the string: 960032 using the "Detach" option

Paste here some of the lines that you got there.
webstyler
Junior Member
Posts: 41
Joined: 15 Apr 2008, 23:40


Hi Sergio

Last rows:
[Mon Jan 13 13:49:34 2014] [error] [client 77.xx.xx.xx] ModSecurity: Access denied with code 501 (phase 2). Match of "rx ^((?:(?:POS|GE)T|OPTIONS|HEAD))$" against "REQUEST_METHOD" required. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "39"] [id "960032"] [msg "Method is not allowed by policy"] [severity "CRITICAL"] [tag "POLICY/METHOD_NOT_ALLOWED"] [hostname "xxx.myhost.com"] [uri "/"] [unique_id "UtPg3k1d-@0AAHyxBsUAAAAI"]
[Mon Jan 13 14:04:09 2014] [error] [client 54.xx.xx.xx] ModSecurity: Access denied with code 501 (phase 2). Match of "rx ^((?:(?:POS|GE)T|OPTIONS|HEAD))$" against "REQUEST_METHOD" required. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "39"] [id "960032"] [msg "Method is not allowed by policy"] [severity "CRITICAL"] [tag "POLICY/METHOD_NOT_ALLOWED"] [hostname "xxx.myhost.com"] [uri "/"] [unique_id "UtPkSU1d-@0AACWhPxkAAAAK"]
[Mon Jan 13 14:04:09 2014] [error] [client 54.xx.xx.xx] ModSecurity: Access denied with code 501 (phase 2). Match of "rx ^((?:(?:POS|GE)T|OPTIONS|HEAD))$" against "REQUEST_METHOD" required. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "39"] [id "960032"] [msg "Method is not allowed by policy"] [severity "CRITICAL"] [tag "POLICY/METHOD_NOT_ALLOWED"] [hostname "xxx.myhost.com"] [uri "/"] [unique_id "UtPkSU1d-@0AAD6LXpwAAAAG"]
[Mon Jan 13 14:43:06 2014] [error] [client 93.xx.xx.xx] ModSecurity: Access denied with code 501 (phase 2). Match of "rx ^((?:(?:POS|GE)T|OPTIONS|HEAD))$" against "REQUEST_METHOD" required. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "39"] [id "960032"] [msg "Method is not allowed by policy"] [severity "CRITICAL"] [tag "POLICY/METHOD_NOT_ALLOWED"] [hostname "xxx.myhost.com"] [uri "/"] [unique_id "UtPtak1d-@0AAExDWgYAAAAf"]
[Mon Jan 13 15:29:56 2014] [error] [client 93.xx.xx.xx] ModSecurity: Access denied with code 501 (phase 2). Match of "rx ^((?:(?:POS|GE)T|OPTIONS|HEAD))$" against "REQUEST_METHOD" required. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "39"] [id "960032"] [msg "Method is not allowed by policy"] [severity "CRITICAL"] [tag "POLICY/METHOD_NOT_ALLOWED"] [hostname "xxx.myhost.com"] [uri "/"] [unique_id "UtP4ZE1d-@0AAHtkJrwAAAAE"]
Sergio
Junior Member
Posts: 1366
Joined: 12 Dec 2006, 14:56


Ok, now do this:
look at /usr/local/apache/conf/modsec2.user.conf and copy here the code that is in line "39".
webstyler
Junior Member
Posts: 41
Joined: 15 Apr 2008, 23:40


# allow request methods
SecRule REQUEST_METHOD "!^((?:(?:POS|GE)T|OPTIONS|HEAD))$" \
"phase:2,t:none,log,auditlog,status:501,msg:'Method is not allowed by policy', severity:'2',id:'960032',tag:'POLICY/METHOD_NOT_ALLOWED'"

line 39 is
"phase:2,t:none,log,auditlog,status:501,msg:'Method is not allowed by policy', severity:'2',id:'960032',tag:'POLICY/METHOD_NOT_ALLOWED'"
Sergio
Junior Member
Posts: 1366
Joined: 12 Dec 2006, 14:56


webstyler wrote:
# allow request methods
SecRule REQUEST_METHOD "!^((?:(?:POS|GE)T|OPTIONS|HEAD))$" \
"phase:2,t:none,log,auditlog,status:501,msg:'Method is not allowed by policy', severity:'2',id:'960032',tag:'POLICY/METHOD_NOT_ALLOWED'"

line 39 is
"phase:2,t:none,log,auditlog,status:501,msg:'Method is not allowed by policy', severity:'2',id:'960032',tag:'POLICY/METHOD_NOT_ALLOWED'"
If you don't want to use this rule in your server, you can disable it just adding a remark "#" (without the quotes) to the "SecRule" line.

By the way, Why are you using this rule inside your modsec2.user.conf file? Do you have other rules inside that file?
webstyler
Junior Member
Posts: 41
Joined: 15 Apr 2008, 23:40


For this server all rules is define inside the modsec2.user.conf as by default cpanel
Sergio
Junior Member
Posts: 1366
Joined: 12 Dec 2006, 14:56


Ok, cpanel rules are not the best ones, you should consider using a better set of rules.

In the mean time, just disable the rule that is causing you the error and you are all set.
13 posts Page 1 of 2