Open MatiLeg opened 1 year ago
I've the following rule in REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf:
SecRule REQUEST_HEADERS:Host "@pm test.domain.com" \ "id:1005,\ phase:1,\ pass,\ nolog,\ ctl:ruleEngine=Off"
I want Coraza to not work for the site test.domain.com.
If I run the curl command: 'curl http://test.domain.com/\?x\=/etc/passwd' it's ok. It doesn't block anything. But if I run 'curl -A "" -H "User-Agent;" https://test.domain.com/' to send a request without the user-agent header, I get the log:
May 23 12:31:40 SERVER coraza-spoa[1167]: {"level":"info","ts":1684855900.383147,"msg":"[client \"_IPADDRESS\"] Coraza: Warning. Empty User Agent Header [file \"/etc/coraza-spoa/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf\"] [line \"0\"] [id \"920330\"] [rev \"\"] [msg \"Empty User Agent Header\"] [data \"\"] [severity \"notice\"] [ver \"OWASP_CRS/4.0.0-rc1\"] [maturity \"0\"] [accuracy \"0\"] [tag \"application-multi\"] [tag \"language-multi\"] [tag \"platform-multi\"] [tag \"attack-protocol\"] [tag \"paranoia-level/1\"] [tag \"OWASP_CRS\"] [tag \"capec/1000/210/272\"] [hostname \"\"] [uri \"/?\"]\n"}
It seems that rules with ID 920xxx are executed despite my rule 1005. What can be happening? I did the same rule in Modsecurity and it works fine.
I've the following rule in REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf:
SecRule REQUEST_HEADERS:Host "@pm test.domain.com" \ "id:1005,\ phase:1,\ pass,\ nolog,\ ctl:ruleEngine=Off"
I want Coraza to not work for the site test.domain.com.
If I run the curl command: 'curl http://test.domain.com/\?x\=/etc/passwd' it's ok. It doesn't block anything. But if I run 'curl -A "" -H "User-Agent;" https://test.domain.com/' to send a request without the user-agent header, I get the log:
May 23 12:31:40 SERVER coraza-spoa[1167]: {"level":"info","ts":1684855900.383147,"msg":"[client \"_IPADDRESS\"] Coraza: Warning. Empty User Agent Header [file \"/etc/coraza-spoa/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf\"] [line \"0\"] [id \"920330\"] [rev \"\"] [msg \"Empty User Agent Header\"] [data \"\"] [severity \"notice\"] [ver \"OWASP_CRS/4.0.0-rc1\"] [maturity \"0\"] [accuracy \"0\"] [tag \"application-multi\"] [tag \"language-multi\"] [tag \"platform-multi\"] [tag \"attack-protocol\"] [tag \"paranoia-level/1\"] [tag \"OWASP_CRS\"] [tag \"capec/1000/210/272\"] [hostname \"\"] [uri \"/?\"]\n"}
It seems that rules with ID 920xxx are executed despite my rule 1005. What can be happening? I did the same rule in Modsecurity and it works fine.