Owasp 900022

kernow

• February 06, 2015 11:16

Can anyone explain what this rule does? does it block visitors from the Countries listed or is it just warning? Owasp 900022
# -=[ High Risk Fraud Countries ]=- # # Rules in the IP Reputation file will check the client against a list of HIGH Risk # country codes. These countries were identified by ClearCommerce: # # - Ukraine # - Indonesia # - Yugoslavia # - Lithuania # - Egypt # - Romania # - Bulgaria # - Turkey # - Russia # - Pakistan # - Malaysia # # Additionally, based on WAF alert analysis reports, China is also included. # # If you have legitimate customers originating from one of these countries, you should # remove it from this list. # SecAction "id:'900022', phase:request, nolog, pass, t:none, setvar:'tx.high_risk_country_codes=UA ID YU LT EG RO BG TR RU PK MY CN'"

• 

  xanubi

  • February 09, 2015 12:12

  ]Can anyone explain what this rule does? does it block visitors from the Countries listed or is it just warning? Owasp 900022
  # -=[ High Risk Fraud Countries ]=- # # Rules in the IP Reputation file will check the client against a list of HIGH Risk # country codes. These countries were identified by ClearCommerce: # # - Ukraine # - Indonesia # - Yugoslavia # - Lithuania # - Egypt # - Romania # - Bulgaria # - Turkey # - Russia # - Pakistan # - Malaysia # # Additionally, based on WAF alert analysis reports, China is also included. # # If you have legitimate customers originating from one of these countries, you should # remove it from this list. # SecAction "id:'900022', phase:request, nolog, pass, t:none, setvar:'tx.high_risk_country_codes=UA ID YU LT EG RO BG TR RU PK MY CN'"
  

  
  Unfortunetly it does nothing. It should block that countries, but it doesn't do that. It's broken.

  0
• 

  kernow

  • February 09, 2015 12:18

  ]Unfortunetly it does nothing. It should block that countries, but it doesn't do that. It's broken.

  
  "sigh" Thanks for the info.

  0
• 

  cPanelMichael

  • February 09, 2015 12:58

  Hello :) Please note that you may want to report issues with specific rules directly to OWASP through their mailing list: OWASP & Mod_Security Thank you.

  0
• 

  kernow

  • February 09, 2015 13:43

  ]Hello :) Please note that you may want to report issues with specific rules directly to OWASP through their mailing list:

  0
• 

  quizknows

  • February 09, 2015 15:24

  The action chain on the rule simply sets a variable, it's not set to block. Later rules may take that variable into account. Rules generally have "allow, deny, or pass." Allow and deny are pretty self explanatory; allow is used to whitelist something and deny is used in most rules to block the requests. The action "pass" means to neither block nor allow the request, but simply execute the non-disruptive actions such as the "setvar" action and then continue processing later rules for the request ("Allow" skips the later rule processing, and deny blocks instantly on a match.)

  0
• 

  kernow

  • February 09, 2015 15:40

  @quizknows Maybe cpanel should have handed these rules over to you for checking before unleashing them on us ;)

  0

Please sign in to leave a comment.