mod_security confusion please decipher.
Can someone decipher what the following mod_security code means? To me, it seems that the visitor was just looking at the website because the actual URL's (obfuscated here) were live and real links. robots.txt and others. Can't understand why mod_security would flag this and deny acesss.
Thanks.
[Tue Jan 09 22:14:38.850021 2024] [security2:error] [pid 48903:tid 22390201382656] [client XXXXXXXXX:29265] [client XXXXXXXXX] ModSecurity: Access denied with code 403 (phase 2). Operator GE matched 5 at TX:anomaly_score. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "94"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.5"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "www.XXXXXXXXX.com"] [uri "/robots.txt"] [unique_id "ZZ4LnuMVYxbZ_aAzTsxHwQAAAQI"]
[Tue Jan 09 22:14:38.919561 2024] [security2:error] [pid 48903:tid 22390201382656] [client XXXXXXXXX:29265] [client XXXXXXXXX] ModSecurity: Access denied with code 403 (phase 2). Operator GE matched 5 at TX:anomaly_score. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "94"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.5"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "www.XXXXXXXXX.com"] [uri "/index.php/early-XXXXXX"] [unique_id "ZZ4LnuMVYxbZ_aAzTsxHwgAAAQI"]
[Tue Jan 09 22:56:02.825967 2024] [security2:error] [pid 48904:tid 22390163560192] [client XXXXXXXXX:49117] [client XXXXXXXXX] ModSecurity: Access denied with code 403 (phase 2). Operator GE matched 5 at TX:anomaly_score. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "94"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.5"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "www.XXXXXXXXX.com"] [uri "/index.php/work-XXXXXXX"] [unique_id "ZZ4VUrx0zpPSP4YsmYcwewAAAVQ"]
-
Hey hey! Details on that specific rule and how it works can be found here: https://github.com/SpiderLabs/OWASP-CRS-Documentation/blob/master/anomaly.rst#anamoly-scoring-mode
It's a bit different than standard rules, but see if that helps answer things.
0
Please sign in to leave a comment.
Comments
1 comment