Hello
We have a ton of false positive with rules 340206 under "/usr/local/apache/conf/modsec_rules/70_asl_csrf_experimental.conf"
So, we have first try to disable rule for user : not work
after, we try to disable rule for user and domain : not work
after, we try to disable rule globally : not work
Best regards
disable rule not work
If you are using the payed rules, you have to be aware that some rules only work with ASL HARDENING, and the set of 70_asl_csrf_experimental.conf is one of them and is not needed with CSF, you can delete that set of rules. You can contact ASL support and they will confirm this.
Sergio
Sergio
Hi Sergio
Last rows:
[Mon Jan 13 13:49:34 2014] [error] [client 77.xx.xx.xx] ModSecurity: Access denied with code 501 (phase 2). Match of "rx ^((?:(?:POS|GE)T|OPTIONS|HEAD))$" against "REQUEST_METHOD" required. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "39"] [id "960032"] [msg "Method is not allowed by policy"] [severity "CRITICAL"] [tag "POLICY/METHOD_NOT_ALLOWED"] [hostname "xxx.myhost.com"] [uri "/"] [unique_id "UtPg3k1d-@0AAHyxBsUAAAAI"]
[Mon Jan 13 14:04:09 2014] [error] [client 54.xx.xx.xx] ModSecurity: Access denied with code 501 (phase 2). Match of "rx ^((?:(?:POS|GE)T|OPTIONS|HEAD))$" against "REQUEST_METHOD" required. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "39"] [id "960032"] [msg "Method is not allowed by policy"] [severity "CRITICAL"] [tag "POLICY/METHOD_NOT_ALLOWED"] [hostname "xxx.myhost.com"] [uri "/"] [unique_id "UtPkSU1d-@0AACWhPxkAAAAK"]
[Mon Jan 13 14:04:09 2014] [error] [client 54.xx.xx.xx] ModSecurity: Access denied with code 501 (phase 2). Match of "rx ^((?:(?:POS|GE)T|OPTIONS|HEAD))$" against "REQUEST_METHOD" required. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "39"] [id "960032"] [msg "Method is not allowed by policy"] [severity "CRITICAL"] [tag "POLICY/METHOD_NOT_ALLOWED"] [hostname "xxx.myhost.com"] [uri "/"] [unique_id "UtPkSU1d-@0AAD6LXpwAAAAG"]
[Mon Jan 13 14:43:06 2014] [error] [client 93.xx.xx.xx] ModSecurity: Access denied with code 501 (phase 2). Match of "rx ^((?:(?:POS|GE)T|OPTIONS|HEAD))$" against "REQUEST_METHOD" required. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "39"] [id "960032"] [msg "Method is not allowed by policy"] [severity "CRITICAL"] [tag "POLICY/METHOD_NOT_ALLOWED"] [hostname "xxx.myhost.com"] [uri "/"] [unique_id "UtPtak1d-@0AAExDWgYAAAAf"]
[Mon Jan 13 15:29:56 2014] [error] [client 93.xx.xx.xx] ModSecurity: Access denied with code 501 (phase 2). Match of "rx ^((?:(?:POS|GE)T|OPTIONS|HEAD))$" against "REQUEST_METHOD" required. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "39"] [id "960032"] [msg "Method is not allowed by policy"] [severity "CRITICAL"] [tag "POLICY/METHOD_NOT_ALLOWED"] [hostname "xxx.myhost.com"] [uri "/"] [unique_id "UtP4ZE1d-@0AAHtkJrwAAAAE"]
Last rows:
[Mon Jan 13 13:49:34 2014] [error] [client 77.xx.xx.xx] ModSecurity: Access denied with code 501 (phase 2). Match of "rx ^((?:(?:POS|GE)T|OPTIONS|HEAD))$" against "REQUEST_METHOD" required. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "39"] [id "960032"] [msg "Method is not allowed by policy"] [severity "CRITICAL"] [tag "POLICY/METHOD_NOT_ALLOWED"] [hostname "xxx.myhost.com"] [uri "/"] [unique_id "UtPg3k1d-@0AAHyxBsUAAAAI"]
[Mon Jan 13 14:04:09 2014] [error] [client 54.xx.xx.xx] ModSecurity: Access denied with code 501 (phase 2). Match of "rx ^((?:(?:POS|GE)T|OPTIONS|HEAD))$" against "REQUEST_METHOD" required. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "39"] [id "960032"] [msg "Method is not allowed by policy"] [severity "CRITICAL"] [tag "POLICY/METHOD_NOT_ALLOWED"] [hostname "xxx.myhost.com"] [uri "/"] [unique_id "UtPkSU1d-@0AACWhPxkAAAAK"]
[Mon Jan 13 14:04:09 2014] [error] [client 54.xx.xx.xx] ModSecurity: Access denied with code 501 (phase 2). Match of "rx ^((?:(?:POS|GE)T|OPTIONS|HEAD))$" against "REQUEST_METHOD" required. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "39"] [id "960032"] [msg "Method is not allowed by policy"] [severity "CRITICAL"] [tag "POLICY/METHOD_NOT_ALLOWED"] [hostname "xxx.myhost.com"] [uri "/"] [unique_id "UtPkSU1d-@0AAD6LXpwAAAAG"]
[Mon Jan 13 14:43:06 2014] [error] [client 93.xx.xx.xx] ModSecurity: Access denied with code 501 (phase 2). Match of "rx ^((?:(?:POS|GE)T|OPTIONS|HEAD))$" against "REQUEST_METHOD" required. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "39"] [id "960032"] [msg "Method is not allowed by policy"] [severity "CRITICAL"] [tag "POLICY/METHOD_NOT_ALLOWED"] [hostname "xxx.myhost.com"] [uri "/"] [unique_id "UtPtak1d-@0AAExDWgYAAAAf"]
[Mon Jan 13 15:29:56 2014] [error] [client 93.xx.xx.xx] ModSecurity: Access denied with code 501 (phase 2). Match of "rx ^((?:(?:POS|GE)T|OPTIONS|HEAD))$" against "REQUEST_METHOD" required. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "39"] [id "960032"] [msg "Method is not allowed by policy"] [severity "CRITICAL"] [tag "POLICY/METHOD_NOT_ALLOWED"] [hostname "xxx.myhost.com"] [uri "/"] [unique_id "UtP4ZE1d-@0AAHtkJrwAAAAE"]
# allow request methods
SecRule REQUEST_METHOD "!^((?:(?:POS|GE)T|OPTIONS|HEAD))$" \
"phase:2,t:none,log,auditlog,status:501,msg:'Method is not allowed by policy', severity:'2',id:'960032',tag:'POLICY/METHOD_NOT_ALLOWED'"
line 39 is
"phase:2,t:none,log,auditlog,status:501,msg:'Method is not allowed by policy', severity:'2',id:'960032',tag:'POLICY/METHOD_NOT_ALLOWED'"
SecRule REQUEST_METHOD "!^((?:(?:POS|GE)T|OPTIONS|HEAD))$" \
"phase:2,t:none,log,auditlog,status:501,msg:'Method is not allowed by policy', severity:'2',id:'960032',tag:'POLICY/METHOD_NOT_ALLOWED'"
line 39 is
"phase:2,t:none,log,auditlog,status:501,msg:'Method is not allowed by policy', severity:'2',id:'960032',tag:'POLICY/METHOD_NOT_ALLOWED'"
webstyler wrote:# allow request methodsIf you don't want to use this rule in your server, you can disable it just adding a remark "#" (without the quotes) to the "SecRule" line.
SecRule REQUEST_METHOD "!^((?:(?:POS|GE)T|OPTIONS|HEAD))$" \
"phase:2,t:none,log,auditlog,status:501,msg:'Method is not allowed by policy', severity:'2',id:'960032',tag:'POLICY/METHOD_NOT_ALLOWED'"
line 39 is
"phase:2,t:none,log,auditlog,status:501,msg:'Method is not allowed by policy', severity:'2',id:'960032',tag:'POLICY/METHOD_NOT_ALLOWED'"
By the way, Why are you using this rule inside your modsec2.user.conf file? Do you have other rules inside that file?