Mod Security Laymans Terms

keat63

• October 12, 2016 10:00

Does anyone know of a list of MOD Sec rules, but in Laymans terms, something that explains in Laymans terms what was going on. For instance: 960034: HTTP protocol version is not allowed by policy. Match of "within %{tx.allowed_http_versions}" against "REQUEST_PROTOCOL" required. Means absolutely nothing. And then the actual rule text, might as well be in chinese.

• 

  cPanelMichael

  • October 12, 2016 19:03

  Hello, You may find the following OWASP configuration file helpful: owasp-modsecurity-crs/modsecurity_crs_30_http_policy.conf at master " SpiderLabs/owasp-modsecurity-crs " GitHub For instance, if you search that file for the term "HTTP protocol version is not allowed by policy", you can see additional information about the purpose of the rule in the commented lines. EX:
  # Restrict protocol versions. # # TODO All modern browsers use HTTP version 1.1. For tight security, allow only # this version. # # NOTE Automation programs, both malicious and non malicious many times use # other HTTP versions. If you want to allow a specific automated program # to use your site, try to create a narrower expection and not allow any # client to send HTTP requests in a version lower than 1.1 # SecRule REQUEST_PROTOCOL "!@within %{tx.allowed_http_versions}" "phase:2,t:none,block,msg:'HTTP protocol version is not allowed by policy',severity:'2',rev:'2',ver:'OWASP_CRS/2.2.9',maturity:'9',accuracy:'9',id:'960034',tag:'OWASP_CRS/POLICY/PROTOCOL_NOT_ALLOWED',tag:'WASCTC/WASC-21',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.10',logdata:'%{matched_var}',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/POLICY/PROTOCOL_NOT_ALLOWED-%{matched_var_name}=%{matched_var}"
  Thank you.

  0
• 

  keat63

  • October 13, 2016 11:44

  Thank You.

  0

Please sign in to leave a comment.