fl0ppy-d1sk
commented
3 years ago Hi @mgiammarco,
This is what we called a "false positive". Unfortunately, OWASP CRS doesn't have exclusions rules for "odoo" in their repository. Here are some alternatives :
- Turn off ModSecurity (not recommended)
- Increase the anomaly score thresholds
- Create exclusion rules "by hand"
More info :
- You have detailed ModSecurity logs in /var/log/nginx/modsec_audit.log inside the container(s)
- ModSecurity on bunkerized-nginx
- Example on how to use the /modsec-confs volume to remove a OWASP CRS rule
- OWASP CRS anomaly scoring mode
- Handling false positives with OWASP CRS
Anyway, I keep this open because we need to improve a detailed documentation on how to resolve that kind of common problem.
Hello, I have enabled web security with owasp rules to protect an "odoo" ero installation. Simply browsing it I get this error:
ModSecurity: Access denied with code 403 (phase 4). Matched "OperatorGe' with parameter4' against variableTX:OUTBOUND_ANOMALY_SCORE' (Value:4' ) [file "/opt/owasp/crs/RESPONSE-959-BLOCKING-EVALUATION.conf"] [line "68"] [id "959100"] [rev ""] [msg "Outbound Anomaly Score Exceeded (Total Score: 4)"] [data ""] [severity "0"] [ver "OWASP_CRS/3.3.0"] [maturity "0"] [accuracy "0"] [tag "anomaly-evaluation"] [hostname "192.168.96.3"] [uri "/web/dataset/call_kw/calendar.event/load_views"] [unique_id "161773279369.250424"] [ref ""] while sending to client, client: 151.36.150.198, server: odoo.xxxx-group.it, request: "POST /web/dataset/call_kw/calendar.event/load_views HTTP/2.0", upstream: "http://xxx.yy.235.253:10080/web/dataset/call_kw/calendar.event/load_views", host: "odoo.xxxx-group.it:20443" mywww_1 | 2021/04/06 18:13:14 [alert] 1609#1609: *9 header already sent while sending to client, client: 151.36.150.198, server: odoo.xxxx-group.it, request: "POST /web/dataset/call_kw/calendar.event/load_views HTTP/2.0", upstream: "http://157.90.235.253:10080/web/dataset/call_kw/calendar.event/load_views", host: "odoo.xxxx-group.it:20443"Is it my fault, a problem in bunkerity or in owasp rules? Thanks in advance for any help, Mario