Hello,
We have some security rules deactivated in "ConfigServer ModSec Control". The problem is that even with the rules disabled there are still clients being blocked in our firewall because of them.
The rules are: 970901 and 981205
In our logs:
[Tue Feb 28 12:42:31 2012] [error] [client 200.193.0.106] ModSecurity: Access denied with code 403 (phase 4). Pattern match "^5\\\\d{2}$" at RESPONSE_STATUS. [file "/usr/local/apache/conf/modsecurity-crs/base_rules/modsecurity_crs_50_outbound.conf"] [line "53"] [id "970901"] [rev "2.2.2"] [msg "The application is not available"] [severity "ERROR"] [tag "WASCTC/WASC-13"] [tag "OWASP_TOP_10/A6"] [tag "PCI/6.5.6"] [hostname "www.XXXXXXXXXXX"] [uri "/favicon.ico"] [unique_id "T0z15zIWJcIACpn6LJoAAAAB"]
[Tue Feb 28 12:42:31 2012] [error] [client 200.193.0.106] ModSecurity: Warning. Operator GE matched 0 at TX:outbound_anomaly_score. [file "/usr/local/apache/conf/modsecurity-crs/base_rules/modsecurity_crs_60_correlation.conf"] [line "40"] [id "981205"] [msg "Outbound Anomaly Score Exceeded (score 0): The application is not available"] [hostname "www.XXXXXXXXXXX"] [uri "/favicon.ico"] [unique_id "T0z15zIWJcIACpn6LJoAAAAB"]
Please, what may be happening?
ConfigServer ModSec Control not working in some cases
-
Junior Member - Posts: 4
- Joined: 29 Feb 2012, 12:14
-
-
Junior Member - Posts: 4
- Joined: 29 Feb 2012, 12:14
-
Hello,
Plugins > ConfigServer ModSec Control
Selected domain > Modify user whitelist
mod_security rule ID list:
970901
981205
Saved whitelist.
The same way we deactivated several other rules.
However, it seems that this problem only happens with these two rules.
A mod_security issue, maybe... ?
Plugins > ConfigServer ModSec Control
Selected domain > Modify user whitelist
mod_security rule ID list:
970901
981205
Saved whitelist.
The same way we deactivated several other rules.
However, it seems that this problem only happens with these two rules.
A mod_security issue, maybe... ?
-
Junior Member - Posts: 4
- Joined: 29 Feb 2012, 12:14
-
Hello,
Well, I know how to whitelist manually.
But the WHM plugin exists to make our lives easier, right? ;-)
The strange is that this isn't working only for these 2 rules...
Well, I know how to whitelist manually.
But the WHM plugin exists to make our lives easier, right? ;-)
The strange is that this isn't working only for these 2 rules...
-
Junior Member - Posts: 4
- Joined: 29 Feb 2012, 12:14
-
Sorry, I think you don't understand the case.
ConfigServer ModSec Control not working ONLY WITH 2 OR 3 RULES.
For ALL other rules, it works fine, normally.
There are no configuration error.
ConfigServer ModSec Control not working ONLY WITH 2 OR 3 RULES.
For ALL other rules, it works fine, normally.
There are no configuration error.