disable rule not work

These forums are not for questions about ModSecurity, just the cmc script itself
13 posts Page 1 of 2
Post Reply
webstyler
Junior Member
Posts: 41
Joined: 15 Apr 2008, 23:40
Post by webstyler » 20 Nov 2013, 08:08
Quote
Hello

We have a ton of false positive with rules 340206 under "/usr/local/apache/conf/modsec_rules/70_asl_csrf_experimental.conf"

So, we have first try to disable rule for user : not work
after, we try to disable rule for user and domain : not work
after, we try to disable rule globally : not work

Best regards
Top
Sergio
Junior Member
Posts: 1381
Joined: 12 Dec 2006, 14:56
Post by Sergio » 21 Nov 2013, 04:25
Quote
If you are using the payed rules, you have to be aware that some rules only work with ASL HARDENING, and the set of 70_asl_csrf_experimental.conf is one of them and is not needed with CSF, you can delete that set of rules. You can contact ASL support and they will confirm this.

Sergio
Top
webstyler
Junior Member
Posts: 41
Joined: 15 Apr 2008, 23:40
Post by webstyler » 13 Jan 2014, 11:55
Quote
Hi
Same issue on other server, but this time rules is standard cpanel (960032)
We whitelist but still ignored
:/
Top
Sergio
Junior Member
Posts: 1381
Joined: 12 Dec 2006, 14:56
Post by Sergio » 13 Jan 2014, 14:38
Quote
Try the following:
- Enter into CSF GUI and go to "SEARCH SYSTEM LOGS".
- Select the first log option "/usr/local/apache/logs/error_logs"
- Search the string: 960032 using the "Detach" option

Paste here some of the lines that you got there.
Top
webstyler
Junior Member
Posts: 41
Joined: 15 Apr 2008, 23:40
Post by webstyler » 13 Jan 2014, 14:46
Quote
Hi Sergio

Last rows:
[Mon Jan 13 13:49:34 2014] [error] [client 77.xx.xx.xx] ModSecurity: Access denied with code 501 (phase 2). Match of "rx ^((?:(?:POS|GE)T|OPTIONS|HEAD))$" against "REQUEST_METHOD" required. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "39"] [id "960032"] [msg "Method is not allowed by policy"] [severity "CRITICAL"] [tag "POLICY/METHOD_NOT_ALLOWED"] [hostname "xxx.myhost.com"] [uri "/"] [unique_id "UtPg3k1d-@0AAHyxBsUAAAAI"]
[Mon Jan 13 14:04:09 2014] [error] [client 54.xx.xx.xx] ModSecurity: Access denied with code 501 (phase 2). Match of "rx ^((?:(?:POS|GE)T|OPTIONS|HEAD))$" against "REQUEST_METHOD" required. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "39"] [id "960032"] [msg "Method is not allowed by policy"] [severity "CRITICAL"] [tag "POLICY/METHOD_NOT_ALLOWED"] [hostname "xxx.myhost.com"] [uri "/"] [unique_id "UtPkSU1d-@0AACWhPxkAAAAK"]
[Mon Jan 13 14:04:09 2014] [error] [client 54.xx.xx.xx] ModSecurity: Access denied with code 501 (phase 2). Match of "rx ^((?:(?:POS|GE)T|OPTIONS|HEAD))$" against "REQUEST_METHOD" required. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "39"] [id "960032"] [msg "Method is not allowed by policy"] [severity "CRITICAL"] [tag "POLICY/METHOD_NOT_ALLOWED"] [hostname "xxx.myhost.com"] [uri "/"] [unique_id "UtPkSU1d-@0AAD6LXpwAAAAG"]
[Mon Jan 13 14:43:06 2014] [error] [client 93.xx.xx.xx] ModSecurity: Access denied with code 501 (phase 2). Match of "rx ^((?:(?:POS|GE)T|OPTIONS|HEAD))$" against "REQUEST_METHOD" required. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "39"] [id "960032"] [msg "Method is not allowed by policy"] [severity "CRITICAL"] [tag "POLICY/METHOD_NOT_ALLOWED"] [hostname "xxx.myhost.com"] [uri "/"] [unique_id "UtPtak1d-@0AAExDWgYAAAAf"]
[Mon Jan 13 15:29:56 2014] [error] [client 93.xx.xx.xx] ModSecurity: Access denied with code 501 (phase 2). Match of "rx ^((?:(?:POS|GE)T|OPTIONS|HEAD))$" against "REQUEST_METHOD" required. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "39"] [id "960032"] [msg "Method is not allowed by policy"] [severity "CRITICAL"] [tag "POLICY/METHOD_NOT_ALLOWED"] [hostname "xxx.myhost.com"] [uri "/"] [unique_id "UtP4ZE1d-@0AAHtkJrwAAAAE"]
Top
Sergio
Junior Member
Posts: 1381
Joined: 12 Dec 2006, 14:56
Post by Sergio » 13 Jan 2014, 16:00
Quote
Ok, now do this:
look at /usr/local/apache/conf/modsec2.user.conf and copy here the code that is in line "39".
Top
webstyler
Junior Member
Posts: 41
Joined: 15 Apr 2008, 23:40
Post by webstyler » 13 Jan 2014, 16:15
Quote
# allow request methods
SecRule REQUEST_METHOD "!^((?:(?:POS|GE)T|OPTIONS|HEAD))$" \
"phase:2,t:none,log,auditlog,status:501,msg:'Method is not allowed by policy', severity:'2',id:'960032',tag:'POLICY/METHOD_NOT_ALLOWED'"

line 39 is
"phase:2,t:none,log,auditlog,status:501,msg:'Method is not allowed by policy', severity:'2',id:'960032',tag:'POLICY/METHOD_NOT_ALLOWED'"
Top
Sergio
Junior Member
Posts: 1381
Joined: 12 Dec 2006, 14:56
Post by Sergio » 13 Jan 2014, 17:21
Quote
webstyler wrote:
# allow request methods
SecRule REQUEST_METHOD "!^((?:(?:POS|GE)T|OPTIONS|HEAD))$" \
"phase:2,t:none,log,auditlog,status:501,msg:'Method is not allowed by policy', severity:'2',id:'960032',tag:'POLICY/METHOD_NOT_ALLOWED'"

line 39 is
"phase:2,t:none,log,auditlog,status:501,msg:'Method is not allowed by policy', severity:'2',id:'960032',tag:'POLICY/METHOD_NOT_ALLOWED'"
If you don't want to use this rule in your server, you can disable it just adding a remark "#" (without the quotes) to the "SecRule" line.

By the way, Why are you using this rule inside your modsec2.user.conf file? Do you have other rules inside that file?
Top
webstyler
Junior Member
Posts: 41
Joined: 15 Apr 2008, 23:40
Post by webstyler » 13 Jan 2014, 19:46
Quote
For this server all rules is define inside the modsec2.user.conf as by default cpanel
Top
Sergio
Junior Member
Posts: 1381
Joined: 12 Dec 2006, 14:56
Post by Sergio » 13 Jan 2014, 20:04
Quote
Ok, cpanel rules are not the best ones, you should consider using a better set of rules.

In the mean time, just disable the rule that is causing you the error and you are all set.
Top
Post Reply
13 posts Page 1 of 2
Return to “General Discussion (cmc)”