Closed lordraiden closed 1 year ago
airween
commented
1 year ago First of all: do you really want to allow the request with argument /?test=../etc?
Second: what is in your REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf?
What do you want to exclude?
lordraiden
commented
1 year ago First of all: do you really want to allow the request with argument
/?test=../etc?Second: what is in your
REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf?What do you want to exclude?
Hi regarding the first question, sorry I pasted the wrong log, please check again
this is what I have in the conf file
SecAction \ "id:920420,\ phase:1,\ nolog,\ pass,\ t:none,\ setvar:tx.crs_exclusions_nextcloud=1"
I have also tried this
SecRuleRemoveById 920420 and this ctl:ruleRemoveById 920420
how I could whitelist this considering the path or something else in addition, so I don't disable the rule for everything?
lordraiden
commented
1 year ago Here is another example lowering the the inbound anomaly score
{
"transaction": {
"time": "30/May/2023:16:38:58.783301 +0000",
"transaction_id": "ZHYmomh1pUQ3yyc3yc4SkgAAAIA",
"remote_address": "192.168.48.4",
"remote_port": 43286,
"local_address": "192.168.48.2",
"local_port": 80
},
"request": {
"request_line": "POST /auth/login_flow HTTP/1.1",
"headers": {
"Host": "modsecurity:80",
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36 Edg/113.0.1774.57",
"Content-Length": "145",
"Accept": "*/*",
"Accept-Encoding": "gzip, deflate, br",
"Accept-Language": "es",
"Content-Type": "text/plain;charset=UTF-8",
"Origin": "https://ha.saddsaasd.com.es",
"Referer": "https://ha.saddsaasd.com.es/auth/authorize?response_type=code&redirect_uri=https%3A%2F%2Fha.saddsaasd.com.es%2F%3Fauth_callback%3D1&client_id=https%3A%2F%2Fha.saddsaasd.com.es%2F&state=eyJoYXNzVXJsIjoiaHR0cHM6Ly9oYS5zdWJ6ZXJvY2xvdWQuY29tLmVzIiwiY2xpZW50SWQiOiJodHRwczovL2hhLnN1Ynplcm9jbG91ZC5jb20uZXMvIn0%3D",
"Sec-Ch-Ua": "\"Microsoft Edge\";v=\"113\", \"Chromium\";v=\"113\", \"Not-A.Brand\";v=\"24\"",
"Sec-Ch-Ua-Mobile": "?0",
"Sec-Ch-Ua-Platform": "\"Windows\"",
"Sec-Fetch-Dest": "empty",
"Sec-Fetch-Mode": "cors",
"Sec-Fetch-Site": "same-origin",
"X-Forwarded-Host": "ha.saddsaasd.com.es",
"X-Forwarded-Port": "443",
"X-Forwarded-Proto": "https",
"X-Forwarded-Server": "16a91540d589",
"X-Real-Ip": "10.10.10.23"
},
"body": [
"{\"client_id\":\"https://ha.saddsaasd.com.es/\",\"handler\":[\"homeassistant\",null],\"redirect_uri\":\"https://ha.saddsaasd.com.es/?auth_callback=1\"}"
]
},
"response": {
"protocol": "HTTP/1.1",
"status": 403,
"headers": {
"Content-Length": "199",
"Content-Type": "text/html; charset=iso-8859-1"
},
"body": "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">\n<html><head>\n<title>403 Forbidden</title>\n</head><body>\n<h1>Forbidden</h1>\n<p>You don't have permission to access this resource.</p>\n</body></html>\n"
},
"audit_data": {
"messages": [
"Warning. Match of \"within %{tx.allowed_request_content_type}\" against \"TX:content_type\" required. [file \"/etc/modsecurity.d/owasp-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf\"] [line \"957\"] [id \"920420\"] [msg \"Request content type is not allowed by policy\"] [data \"|text/plain|\"] [severity \"CRITICAL\"] [ver \"OWASP_CRS/3.3.4\"] [tag \"modsecurity\"] [tag \"application-multi\"] [tag \"language-multi\"] [tag \"platform-multi\"] [tag \"attack-protocol\"] [tag \"paranoia-level/1\"] [tag \"OWASP_CRS\"] [tag \"capec/1000/255/153\"] [tag \"PCI/12.1\"]",
"Access denied with code 403 (phase 2). Operator GE matched 5 at TX:anomaly_score. [file \"/etc/modsecurity.d/owasp-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf\"] [line \"94\"] [id \"949110\"] [msg \"Inbound Anomaly Score Exceeded (Total Score: 5)\"] [severity \"CRITICAL\"] [ver \"OWASP_CRS/3.3.4\"] [tag \"modsecurity\"] [tag \"application-multi\"] [tag \"language-multi\"] [tag \"platform-multi\"] [tag \"attack-generic\"]",
"Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file \"/etc/modsecurity.d/owasp-crs/rules/RESPONSE-980-CORRELATION.conf\"] [line \"92\"] [id \"980130\"] [msg \"Inbound Anomaly Score Exceeded (Total Inbound Score: 5 - SQLI=0,XSS=0,RFI=0,LFI=0,RCE=0,PHPI=0,HTTP=0,SESS=0): individual paranoia level scores: 5, 0, 0, 0\"] [ver \"OWASP_CRS/3.3.4\"] [tag \"modsecurity\"] [tag \"event-correlation\"]"
],
"error_messages": [
"[file \"apache2_util.c\"] [line 275] [level 3] [client 192.168.48.4] ModSecurity: Warning. Match of \"within %{tx.allowed_request_content_type}\" against \"TX:content_type\" required. [file \"/etc/modsecurity.d/owasp-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf\"] [line \"957\"] [id \"920420\"] [msg \"Request content type is not allowed by policy\"] [data \"|text/plain|\"] [severity \"CRITICAL\"] [ver \"OWASP_CRS/3.3.4\"] [tag \"modsecurity\"] [tag \"application-multi\"] [tag \"language-multi\"] [tag \"platform-multi\"] [tag \"attack-protocol\"] [tag \"paranoia-level/1\"] [tag \"OWASP_CRS\"] [tag \"capec/1000/255/153\"] [tag \"PCI/12.1\"] [hostname \"modsecurity\"] [uri \"/auth/login_flow\"] [unique_id \"ZHYmomh1pUQ3yyc3yc4SkgAAAIA\"]",
"[file \"apache2_util.c\"] [line 275] [level 3] [client 192.168.48.4] ModSecurity: Access denied with code 403 (phase 2). Operator GE matched 5 at TX:anomaly_score. [file \"/etc/modsecurity.d/owasp-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf\"] [line \"94\"] [id \"949110\"] [msg \"Inbound Anomaly Score Exceeded (Total Score: 5)\"] [severity \"CRITICAL\"] [ver \"OWASP_CRS/3.3.4\"] [tag \"modsecurity\"] [tag \"application-multi\"] [tag \"language-multi\"] [tag \"platform-multi\"] [tag \"attack-generic\"] [hostname \"modsecurity\"] [uri \"/auth/login_flow\"] [unique_id \"ZHYmomh1pUQ3yyc3yc4SkgAAAIA\"]",
"[file \"apache2_util.c\"] [line 275] [level 3] [client 192.168.48.4] ModSecurity: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file \"/etc/modsecurity.d/owasp-crs/rules/RESPONSE-980-CORRELATION.conf\"] [line \"92\"] [id \"980130\"] [msg \"Inbound Anomaly Score Exceeded (Total Inbound Score: 5 - SQLI=0,XSS=0,RFI=0,LFI=0,RCE=0,PHPI=0,HTTP=0,SESS=0): individual paranoia level scores: 5, 0, 0, 0\"] [ver \"OWASP_CRS/3.3.4\"] [tag \"modsecurity\"] [tag \"event-correlation\"] [hostname \"modsecurity\"] [uri \"/auth/login_flow\"] [unique_id \"ZHYmomh1pUQ3yyc3yc4SkgAAAIA\"]"
],
"action": {
"intercepted": true,
"phase": 2,
"message": "Operator GE matched 5 at TX:anomaly_score."
},
"handler": "proxy-server",
"stopwatch": {
"p1": 622,
"p2": 1612,
"p3": 0,
"p4": 0,
"p5": 199,
"sr": 71,
"sw": 0,
"l": 0,
"gc": 0
},
"response_body_dechunked": true,
"producer": [
"ModSecurity for Apache/2.9.7 (http://www.modsecurity.org/)",
"OWASP_CRS/3.3.4"
],
"server": "Apache",
"engine_mode": "ENABLED"
}
}The problem is that the sent (by client) Content-Type header is a special type which is not supported generally.
You don't need to write any exclusion, just add your custom CT's to CRS's crs-setup.conf, here.
Please read carefully the previous comments.
lordraiden
commented
1 year ago Ok so I need to enable MANUAL_MODE but what is the path that I need to map with a volume for the docker compose?
How would be that fix that you are proposing? what would I have to add exactly to that conf?
And for this block example below what would I need to add to the REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf file? what would be the correct syntax to add an exception with rule ID and maybe another parameter.
Sorry for asking this but I just need examples on how to go from A to B then I can continue alone.
{
"transaction": {
"time": "31/May/2023:07:30:20.361664 +0000",
"transaction_id": "ZHb3jIUexm1-kFV9-1jnTgAAAI8",
"remote_address": "192.168.176.4",
"remote_port": 53430,
"local_address": "192.168.176.3",
"local_port": 80
},
"request": {
"request_line": "GET /auth/authorize?response_type=code&redirect_uri=https%3A%2F%2Fha.subzerocloud.com.es%2F%3Fauth_callback%3D1&client_id=https%3A%2F%2Fha.subzerocloud.com.es%2F&state=eyJoYXNzVXJsIjoiaHR0cHM6Ly9oYS5zdWJ6ZXJvY2xvdWQuY29tLmVzIiwiY2xpZW50SWQiOiJodHRwczovL2hhLnN1Ynplcm9jbG91ZC5jb20uZXMvIn0%3D HTTP/1.1",
"headers": {
"Host": "modsecurity:80",
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/113.0",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8",
"Accept-Encoding": "gzip, deflate, br",
"Accept-Language": "es-ES,en-US;q=0.8,es;q=0.5,en;q=0.3",
"Cookie": "usprivacy=1NYN",
"Dnt": "1",
"Referer": "https://ha.subzerocloud.com.es/",
"Sec-Fetch-Dest": "document",
"Sec-Fetch-Mode": "navigate",
"Sec-Fetch-Site": "same-origin",
"Sec-Gpc": "1",
"Te": "trailers",
"Upgrade-Insecure-Requests": "1",
"X-Forwarded-Host": "ha.subzerocloud.com.es",
"X-Forwarded-Port": "443",
"X-Forwarded-Proto": "https",
"X-Forwarded-Server": "d2705663ae3a",
"X-Real-Ip": "10.10.10.23"
}
},
"response": {
"protocol": "HTTP/1.1",
"status": 403,
"headers": {
"Content-Length": "199",
"Content-Type": "text/html; charset=iso-8859-1"
},
"body": "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">\n<html><head>\n<title>403 Forbidden</title>\n</head><body>\n<h1>Forbidden</h1>\n<p>You don't have permission to access this resource.</p>\n</body></html>\n"
},
"audit_data": {
"messages": [
"Warning. Match of \"endsWith .%{request_headers.host}\" against \"TX:rfi_parameter_ARGS:redirect_uri\" required. [file \"/etc/modsecurity.d/owasp-crs/rules/REQUEST-931-APPLICATION-ATTACK-RFI.conf\"] [line \"127\"] [id \"931130\"] [msg \"Possible Remote File Inclusion (RFI) Attack: Off-Domain Reference/Link\"] [data \"Matched Data: https://ha.subzerocloud.com.es/ found within TX:rfi_parameter_ARGS:redirect_uri: .ha.subzerocloud.com.es\"] [severity \"CRITICAL\"] [ver \"OWASP_CRS/3.3.4\"] [tag \"modsecurity\"] [tag \"application-multi\"] [tag \"language-multi\"] [tag \"platform-multi\"] [tag \"attack-rfi\"] [tag \"OWASP_CRS\"] [tag \"capec/1000/152/175/253\"] [tag \"paranoia-level/2\"]",
"Warning. Match of \"endsWith .%{request_headers.host}\" against \"TX:rfi_parameter_ARGS:client_id\" required. [file \"/etc/modsecurity.d/owasp-crs/rules/REQUEST-931-APPLICATION-ATTACK-RFI.conf\"] [line \"127\"] [id \"931130\"] [msg \"Possible Remote File Inclusion (RFI) Attack: Off-Domain Reference/Link\"] [data \"Matched Data: https://ha.subzerocloud.com.es/ found within TX:rfi_parameter_ARGS:client_id: .ha.subzerocloud.com.es\"] [severity \"CRITICAL\"] [ver \"OWASP_CRS/3.3.4\"] [tag \"modsecurity\"] [tag \"application-multi\"] [tag \"language-multi\"] [tag \"platform-multi\"] [tag \"attack-rfi\"] [tag \"OWASP_CRS\"] [tag \"capec/1000/152/175/253\"] [tag \"paranoia-level/2\"]",
"Access denied with code 403 (phase 2). Operator GE matched 6 at TX:anomaly_score. [file \"/etc/modsecurity.d/owasp-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf\"] [line \"94\"] [id \"949110\"] [msg \"Inbound Anomaly Score Exceeded (Total Score: 10)\"] [severity \"CRITICAL\"] [ver \"OWASP_CRS/3.3.4\"] [tag \"modsecurity\"] [tag \"application-multi\"] [tag \"language-multi\"] [tag \"platform-multi\"] [tag \"attack-generic\"]",
"Warning. Operator GE matched 6 at TX:inbound_anomaly_score. [file \"/etc/modsecurity.d/owasp-crs/rules/RESPONSE-980-CORRELATION.conf\"] [line \"92\"] [id \"980130\"] [msg \"Inbound Anomaly Score Exceeded (Total Inbound Score: 10 - SQLI=0,XSS=0,RFI=10,LFI=0,RCE=0,PHPI=0,HTTP=0,SESS=0): individual paranoia level scores: 0, 10, 0, 0\"] [ver \"OWASP_CRS/3.3.4\"] [tag \"modsecurity\"] [tag \"event-correlation\"]"
],
"error_messages": [
"[file \"apache2_util.c\"] [line 275] [level 3] [client 192.168.176.4] ModSecurity: Warning. Match of \"endsWith .%{request_headers.host}\" against \"TX:rfi_parameter_ARGS:redirect_uri\" required. [file \"/etc/modsecurity.d/owasp-crs/rules/REQUEST-931-APPLICATION-ATTACK-RFI.conf\"] [line \"127\"] [id \"931130\"] [msg \"Possible Remote File Inclusion (RFI) Attack: Off-Domain Reference/Link\"] [data \"Matched Data: https://ha.subzerocloud.com.es/ found within TX:rfi_parameter_ARGS:redirect_uri: .ha.subzerocloud.com.es\"] [severity \"CRITICAL\"] [ver \"OWASP_CRS/3.3.4\"] [tag \"modsecurity\"] [tag \"application-multi\"] [tag \"language-multi\"] [tag \"platform-multi\"] [tag \"attack-rfi\"] [tag \"OWASP_CRS\"] [tag \"capec/1000/152/175/253\"] [tag \"paranoia-level/2\"] [hostname \"modsecurity\"] [uri \"/auth/authorize\"] [unique_id \"ZHb3jIUexm1-kFV9-1jnTgAAAI8\"]",
"[file \"apache2_util.c\"] [line 275] [level 3] [client 192.168.176.4] ModSecurity: Warning. Match of \"endsWith .%{request_headers.host}\" against \"TX:rfi_parameter_ARGS:client_id\" required. [file \"/etc/modsecurity.d/owasp-crs/rules/REQUEST-931-APPLICATION-ATTACK-RFI.conf\"] [line \"127\"] [id \"931130\"] [msg \"Possible Remote File Inclusion (RFI) Attack: Off-Domain Reference/Link\"] [data \"Matched Data: https://ha.subzerocloud.com.es/ found within TX:rfi_parameter_ARGS:client_id: .ha.subzerocloud.com.es\"] [severity \"CRITICAL\"] [ver \"OWASP_CRS/3.3.4\"] [tag \"modsecurity\"] [tag \"application-multi\"] [tag \"language-multi\"] [tag \"platform-multi\"] [tag \"attack-rfi\"] [tag \"OWASP_CRS\"] [tag \"capec/1000/152/175/253\"] [tag \"paranoia-level/2\"] [hostname \"modsecurity\"] [uri \"/auth/authorize\"] [unique_id \"ZHb3jIUexm1-kFV9-1jnTgAAAI8\"]",
"[file \"apache2_util.c\"] [line 275] [level 3] [client 192.168.176.4] ModSecurity: Access denied with code 403 (phase 2). Operator GE matched 6 at TX:anomaly_score. [file \"/etc/modsecurity.d/owasp-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf\"] [line \"94\"] [id \"949110\"] [msg \"Inbound Anomaly Score Exceeded (Total Score: 10)\"] [severity \"CRITICAL\"] [ver \"OWASP_CRS/3.3.4\"] [tag \"modsecurity\"] [tag \"application-multi\"] [tag \"language-multi\"] [tag \"platform-multi\"] [tag \"attack-generic\"] [hostname \"modsecurity\"] [uri \"/auth/authorize\"] [unique_id \"ZHb3jIUexm1-kFV9-1jnTgAAAI8\"]",
"[file \"apache2_util.c\"] [line 275] [level 3] [client 192.168.176.4] ModSecurity: Warning. Operator GE matched 6 at TX:inbound_anomaly_score. [file \"/etc/modsecurity.d/owasp-crs/rules/RESPONSE-980-CORRELATION.conf\"] [line \"92\"] [id \"980130\"] [msg \"Inbound Anomaly Score Exceeded (Total Inbound Score: 10 - SQLI=0,XSS=0,RFI=10,LFI=0,RCE=0,PHPI=0,HTTP=0,SESS=0): individual paranoia level scores: 0, 10, 0, 0\"] [ver \"OWASP_CRS/3.3.4\"] [tag \"modsecurity\"] [tag \"event-correlation\"] [hostname \"modsecurity\"] [uri \"/auth/authorize\"] [unique_id \"ZHb3jIUexm1-kFV9-1jnTgAAAI8\"]"
],
"action": {
"intercepted": true,
"phase": 2,
"message": "Operator GE matched 6 at TX:anomaly_score."
},
"handler": "proxy-server",
"stopwatch": {
"p1": 604,
"p2": 3275,
"p3": 0,
"p4": 0,
"p5": 148,
"sr": 89,
"sw": 0,
"l": 0,
"gc": 0
},
"response_body_dechunked": true,
"producer": [
"ModSecurity for Apache/2.9.7 (http://www.modsecurity.org/)",
"OWASP_CRS/3.3.4"
],
"server": "Apache",
"engine_mode": "ENABLED"
}
}Ok so I need to enable MANUAL_MODE but what is the path that I need to map with a volume for the docker compose?
I'm not a Docker expert, but I think - based on your config above:
volumes:
- /mnt/user/Docker/WebProxyDMZ/ModSecurity/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf:/etc/modsecurity.d/owasp-crs/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf
- /mnt/user/Docker/WebProxyDMZ/ModSecurity/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf:/etc/modsecurity.d/owasp-crs/rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.confyou should add something similar:
- /mnt/user/Docker/WebProxyDMZ/ModSecurity/crs-setup.conf:/etc/modsecurity.d/owasp-crs/crs-setup.confand in this file, you should set up your custom settings. (Of course you must have the original file.)
And for this block example below what would I need to add to the REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf file? what would be the correct syntax to add an exception with rule ID and maybe another parameter.
Sorry for asking this but I just need examples on how to go from A to B then I can continue alone.
No worries, we are here to help you :).
Based on your message it seems that these are matching with URI /auth/authorize, and the rule is always 931130. So I think you can try something like this:
SecRule REQUEST_URI "@strEq /auth/authorize" \
"id:10001,\
phase:1,\
pass,\
t:none,\
nolog,\
ctl:ruleRemoveById=931130"thanks a lot, now I have managed to add a few exclusions but now I have a question
My understanding is that the error message 0 is the actual detection, and is the trigger to the other 2 detections, so if I fix the "content type" issue I won't have this alert and it would be an error to add a pass rule for /auth/login_flow and rules 980130 and 949110. am I right?
Still trying to figure out how to fix the content type issue. I have tried with the rule below but is not working
# To prevent blocking request with not allowed content-type by default, you can create an exclusion
# rule that removes rule 920420. For example:
# SecRule REQUEST_HEADERS:Content-Type "@rx ^text/plain" \
# "id:1234,\
# phase:1,\
# nolog,\
# pass,\
# t:none,\
# ctl:ruleRemoveById=920420,\
# chain"
# SecRule REQUEST_URI "@rx ^/foo/bar" "t:none"
#
# Uncomment this rule to change the default.
#
SecAction \
"id:900220,\
phase:1,\
nolog,\
pass,\
t:none,\
setvar:'tx.allowed_request_content_type=|text/plain;charset=UTF-8|'"
# setvar:'tx.allowed_request_content_type=|application/x-www-form-urlencoded| |multipart/form-data| |multipart/related| |text/xml| |application/xml| |application/soap+xml| |application/json| |application/cloudevents+json| |application/cloudevents-batch+json|'"
Should be better try to do it with the first section of the code? "# SecRule REQUEST_HEADERS:Content-Type "@rx ^text/plain" ...."
I have tried with this
SecRule REQUEST_HEADERS:Content-Type "@rx ^text/html; charset=iso-8859-1" \
"id:1234,\
phase:1,\
nolog,\
pass,\
t:none,\
ctl:ruleRemoveById=920420,\
chain"
SecRule REQUEST_URI "@rx ^/auth/login_flow" "t:none"but it doesn't work either
airween
commented
1 year ago My understanding is that the error message 0 is the actual detection, and is the trigger to the other 2 detections, so if I fix the "content type" issue I won't have this alert and it would be an error to add a pass rule for /auth/login_flow and rules 980130 and 949110. am I right?
Yes, absolutely. Rules 949110 and 980130 are so-called "evaluation" rules. Do not make any exclusion against those.
Those triggered only if the transaction score reaches the limit (what you can configure).
You should read more about this here
Still trying to figure out how to fix the content type issue. I have tried with the rule below but is not working
...
I should do this:
SecAction \
"id:900220,\
phase:1,\
nolog,\
pass,\
t:none,\
setvar:'tx.allowed_request_content_type=|application/x-www-form-urlencoded| |multipart/form-data| |multipart/related| |text/xml| |application/xml| |application/soap+xml| |application/json| |application/cloudevents+json| |application/cloudevents-batch+json| |text/plain|'"Should be better try to do it with the first section of the code? "# SecRule REQUEST_HEADERS:Content-Type "@rx ^text/plain" ...."
I have tried with this
SecRule REQUEST_HEADERS:Content-Type "@rx ^text/html; charset=iso-8859-1" \ "id:1234,\ phase:1,\ nolog,\ pass,\ t:none,\ ctl:ruleRemoveById=920420,\ chain" SecRule REQUEST_URI "@rx ^/auth/login_flow" "t:none"but it doesn't work either
Where did you put this exclusion?
Does your client send exactly the same header as you put into the operand? (text/html; charset=iso-8859-1)?
(A side note: please do not use any non-anchored regex in these places, like CT header. Consider a request with this: text/html; charset=iso-8859-1; application/json; charset=utf8)
lordraiden
commented
1 year ago I added that rule in this file and line https://github.com/coreruleset/coreruleset/blob/ec0005183329f0241a31c8bd136598023d9aa8aa/crs-setup.conf.example#L410
Well I think this is the header not supported
Not sure about what you mean about anchors, I know little about regex
Anyway I used this as you suggested and now it works, thanks
SecAction \
"id:900220,\
phase:1,\
nolog,\
pass,\
t:none,\
setvar:'tx.allowed_request_content_type=|application/x-www-form-urlencoded| |multipart/form-data| |multipart/related| |text/xml| |application/xml| |application/soap+xml| |application/json| |application/cloudevents+json| |application/cloudevents-batch+json| |text/plain|'"Again :( To make it work I endup using @beginswith ....
SecRule REQUEST_URI "@beginsWith /auth/authorize" \
"id:10001,\
phase:1,\
pass,\
t:none,\
nolog,\
ctl:ruleRemoveById=931130"
SecRule REQUEST_URI "@beginsWith /auth/token" \
"id:10002,\
phase:1,\
pass,\
t:none,\
nolog,\
ctl:ruleRemoveById=931130"I get a syntax error but not sure what is wrong.... AH00526: Syntax error on line 18 of /etc/modsecurity.d/owasp-crs/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf: Invalid command 'REQUEST_URI', perhaps misspelled or defined by a module not included in the server configuration
EDIT: ok I replaced the tabs by spaces.... nowit works
airween
commented
1 year ago ok I replaced the tabs by spaces.... nowit works
Awesome.
If you don't have any other question, please close this issue.
I have spend many hours troubleshooting and I need to ask...
This is my compose file
I have been trying to whitelist this to parse it https://jsonformatter.org/json-parser
I have tried several combinations in the file "REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf" but I only get errors What is the right way to do it? I would apreciate any help to learn how to whitelist, I have seen the example but nothing works using the conf file
The other problem I have is that I have been trying to map volumes to be able to edit the config files without success, what I'm doing wrong?