Author Topic: Excluded rule for a domain is ignored  (Read 1889 times)

0 Members and 1 Guest are viewing this topic.

Offline
*
Excluded rule for a domain is ignored
« on: March 27, 2023, 09:09:39 PM »
I encounter a blockage with an MP4 file associated with an embedded video player.

Looking in the Apache error log, it's about a ModSecurity rule. So, I tried to exclude the concerned rule from CWP (Security/ModSecurity/Domains/<concerned_domain>/Edit Rules), but every time I saved the file, despite the message "success", it was not there (empty text area when I open it again).

So, I took a look on disk and the path indicated by CWP didn't exist: /usr/local/apache/conf/userdata/<user>/<domain>/modsec.conf. Then, I created the path and renewed the operation from within CWP... And this time, the file modsec.conf was effectively created clicking the save button.

But, even after a restart of Apache, the exclusion is ignored; same error!

At this stage, I wonder if it's because the file is in the wrong location (but CWP found it for editing), if it's because I have to include modsec.conf at some point in a parent .conf file, if it's due to a mistake in my syntax or a known issue with ModSec or CWP...

Here is the error (anonymized):
Code: [Select]
[Mon Mar 27 22:22:52.425976 2023] [:error] [pid 1008302:tid 140528217736960] [client 2a02:842b:853b:f90a:f020:63132] [client 2a02:842b:fc87:f90a:f020] ModSecurity: Access denied with code 403 (phase 2). String match "bytes=0-" at REQUEST_HEADERS:Range. [file "/usr/local/apache/modsecurity-owasp-old/base_rules/modsecurity_crs_20_protocol_violations.conf"] [line "428"] [id "958291"] [rev "2"] [msg "Range: field exists and begins with 0."] [data "bytes=0-"] [severity "WARNING"] [ver "OWASP_CRS/2.2.9"] [maturity "6"] [accuracy "8"] [tag "OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ"] [hostname "foobar.tld"] [uri "/vid/intro.mp4"] [unique_id "ZCH7HJJr-iBQGILntBDpjAAAAIo"], referer: https://foobar.tld/
Here is /usr/local/apache/conf/userdata/dummy/foobar.tld/modsec.conf:
Code: [Select]
# Prevent OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ on /vid/intro.mp4
SecRuleRemoveById 958291

And my context: CWP7, Apache 2.4, AlmaLinux 8.7.

What do you think?

Offline
*****
Re: Excluded rule for a domain is ignored
« Reply #1 on: March 28, 2023, 06:33:26 PM »
Are you using the OWASP ruleset? If so, I would suggest starting with the Comodo rules and tune from there.

Offline
*
Re: Excluded rule for a domain is ignored
« Reply #2 on: March 31, 2023, 12:36:36 PM »
Yes, I used the OWASP ruleset which is the only one allowed through CWP v. free. But, never mind, thanks for your help, but I finally restarted from scratch and installed another panel which better meet my will...