Page 1 of 2

disable rule not work

Posted: 20 Nov 2013, 08:08
by webstyler
Hello

We have a ton of false positive with rules 340206 under "/usr/local/apache/conf/modsec_rules/70_asl_csrf_experimental.conf"

So, we have first try to disable rule for user : not work
after, we try to disable rule for user and domain : not work
after, we try to disable rule globally : not work

Best regards

Re: disable rule not work

Posted: 21 Nov 2013, 04:25
by Sergio
If you are using the payed rules, you have to be aware that some rules only work with ASL HARDENING, and the set of 70_asl_csrf_experimental.conf is one of them and is not needed with CSF, you can delete that set of rules. You can contact ASL support and they will confirm this.

Sergio

Re: disable rule not work

Posted: 13 Jan 2014, 11:55
by webstyler
Hi
Same issue on other server, but this time rules is standard cpanel (960032)
We whitelist but still ignored
:/

Re: disable rule not work

Posted: 13 Jan 2014, 14:38
by Sergio
Try the following:
- Enter into CSF GUI and go to "SEARCH SYSTEM LOGS".
- Select the first log option "/usr/local/apache/logs/error_logs"
- Search the string: 960032 using the "Detach" option

Paste here some of the lines that you got there.

Re: disable rule not work

Posted: 13 Jan 2014, 14:46
by webstyler
Hi Sergio

Last rows:
[Mon Jan 13 13:49:34 2014] [error] [client 77.xx.xx.xx] ModSecurity: Access denied with code 501 (phase 2). Match of "rx ^((?:(?:POS|GE)T|OPTIONS|HEAD))$" against "REQUEST_METHOD" required. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "39"] [id "960032"] [msg "Method is not allowed by policy"] [severity "CRITICAL"] [tag "POLICY/METHOD_NOT_ALLOWED"] [hostname "xxx.myhost.com"] [uri "/"] [unique_id "UtPg3k1d-@0AAHyxBsUAAAAI"]
[Mon Jan 13 14:04:09 2014] [error] [client 54.xx.xx.xx] ModSecurity: Access denied with code 501 (phase 2). Match of "rx ^((?:(?:POS|GE)T|OPTIONS|HEAD))$" against "REQUEST_METHOD" required. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "39"] [id "960032"] [msg "Method is not allowed by policy"] [severity "CRITICAL"] [tag "POLICY/METHOD_NOT_ALLOWED"] [hostname "xxx.myhost.com"] [uri "/"] [unique_id "UtPkSU1d-@0AACWhPxkAAAAK"]
[Mon Jan 13 14:04:09 2014] [error] [client 54.xx.xx.xx] ModSecurity: Access denied with code 501 (phase 2). Match of "rx ^((?:(?:POS|GE)T|OPTIONS|HEAD))$" against "REQUEST_METHOD" required. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "39"] [id "960032"] [msg "Method is not allowed by policy"] [severity "CRITICAL"] [tag "POLICY/METHOD_NOT_ALLOWED"] [hostname "xxx.myhost.com"] [uri "/"] [unique_id "UtPkSU1d-@0AAD6LXpwAAAAG"]
[Mon Jan 13 14:43:06 2014] [error] [client 93.xx.xx.xx] ModSecurity: Access denied with code 501 (phase 2). Match of "rx ^((?:(?:POS|GE)T|OPTIONS|HEAD))$" against "REQUEST_METHOD" required. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "39"] [id "960032"] [msg "Method is not allowed by policy"] [severity "CRITICAL"] [tag "POLICY/METHOD_NOT_ALLOWED"] [hostname "xxx.myhost.com"] [uri "/"] [unique_id "UtPtak1d-@0AAExDWgYAAAAf"]
[Mon Jan 13 15:29:56 2014] [error] [client 93.xx.xx.xx] ModSecurity: Access denied with code 501 (phase 2). Match of "rx ^((?:(?:POS|GE)T|OPTIONS|HEAD))$" against "REQUEST_METHOD" required. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "39"] [id "960032"] [msg "Method is not allowed by policy"] [severity "CRITICAL"] [tag "POLICY/METHOD_NOT_ALLOWED"] [hostname "xxx.myhost.com"] [uri "/"] [unique_id "UtP4ZE1d-@0AAHtkJrwAAAAE"]

Re: disable rule not work

Posted: 13 Jan 2014, 16:00
by Sergio
Ok, now do this:
look at /usr/local/apache/conf/modsec2.user.conf and copy here the code that is in line "39".

Re: disable rule not work

Posted: 13 Jan 2014, 16:15
by webstyler
# allow request methods
SecRule REQUEST_METHOD "!^((?:(?:POS|GE)T|OPTIONS|HEAD))$" \
"phase:2,t:none,log,auditlog,status:501,msg:'Method is not allowed by policy', severity:'2',id:'960032',tag:'POLICY/METHOD_NOT_ALLOWED'"

line 39 is
"phase:2,t:none,log,auditlog,status:501,msg:'Method is not allowed by policy', severity:'2',id:'960032',tag:'POLICY/METHOD_NOT_ALLOWED'"

Re: disable rule not work

Posted: 13 Jan 2014, 17:21
by Sergio
webstyler wrote:
# allow request methods
SecRule REQUEST_METHOD "!^((?:(?:POS|GE)T|OPTIONS|HEAD))$" \
"phase:2,t:none,log,auditlog,status:501,msg:'Method is not allowed by policy', severity:'2',id:'960032',tag:'POLICY/METHOD_NOT_ALLOWED'"

line 39 is
"phase:2,t:none,log,auditlog,status:501,msg:'Method is not allowed by policy', severity:'2',id:'960032',tag:'POLICY/METHOD_NOT_ALLOWED'"
If you don't want to use this rule in your server, you can disable it just adding a remark "#" (without the quotes) to the "SecRule" line.

By the way, Why are you using this rule inside your modsec2.user.conf file? Do you have other rules inside that file?

Re: disable rule not work

Posted: 13 Jan 2014, 19:46
by webstyler
For this server all rules is define inside the modsec2.user.conf as by default cpanel

Re: disable rule not work

Posted: 13 Jan 2014, 20:04
by Sergio
Ok, cpanel rules are not the best ones, you should consider using a better set of rules.

In the mean time, just disable the rule that is causing you the error and you are all set.