Author Topic: Mod_security keeps giving false positives - how to disable content filtering?  (Read 13409 times)

0 Members and 1 Guest are viewing this topic.

Offline
*
I keep getting messages like this in my error_log.

I assure you that no one is injecting any code into anything. It's a regular website, and it's giving TONS of false positives. I like mod_security for other things (DoS mitigation, ip blocking, etc.) -- how can I turn off this element of it?


[Fri Apr 15 02:12:56 2016] [error] [client 68.235.165.156] ModSecurity: Access denied with code 403 (phase 4). Match of "rx (?:\\\\b(?:(?:i(?:nterplay|hdr|d3)|m(?:ovi|thd)|r(?:ar!|iff)|(?:ex|jf)if|f(?:lv|ws)|varg|cws)\\\\b|gif)|B(?:%pdf|\\\\.ra)\\\\b)" against "RESPONSE_BODY" required. [file "/usr/local/apache/modsecurity-crs/base_rules/modsecurity_crs_50_outbound.conf"] [line "39"] [id "970903"] [rev "2"] [msg "ASP/JSP source code leakage"] [data "Matched Data: <% found within RESPONSE_BODY: \\x1f\\x8b\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\xec}yw\\xdb6\\xb6\\xf8\\xdf\\xf19\\xf9\\x0e\\x08\\xa73\\xb6g\\xa8\\x85\\xda%\\xc7\\x9a\\xe7-\\xad;\\xb1\\x93\\x17\\xbbM\\xfb\\xfaz| \\x12\\x92\\xd8P\\xa4\\xca\\xc5\\xb6\\xa6\\xd3\\x0f\\xfd\\xbe\\xc1\\xef^\\x00$A\\x8a\\xb2d\\xc5\\xccr\\xce/\\x9d\\xb1\\xb8\\x80\\xc0\\xc5\\xc5\\xddq\\x01<\\xdfy\\xf9\\xe2\\xf4\\xcd\\xc9\\xf5\\xcfo\\xcf\\xc84\\x9c9\\xe4\\xed\\x0f\\xc7\\xaf\\xcfO\\x88V\\xa9\\xd5\\xde7Oj\\xb5\\xd3\\xebS\\xf2\\xd3w\\xd7\\x17\\xaf\\x89Q\\xad\\x93k\\x9f\\xba\\x81\\x1d\\xda\\x9eK\\x9dZ\\xed\\xecR#\\xda4\\x0..."] [severity "ERROR"] [ver "OWASP_CRS/2.2.9"] [maturity "9"] [accuracy "9"] [tag "OWASP_CRS/LEAKAGE/SOURCE_CODE_ASP_JSP"] [tag "WASCTC/WAS [hostname "www.chantcd.com"] [uri "/index.php/Chant-Compendium-3-MP3-DOWNLOAD-EDITION"] [unique_id "VxCUeH8AAAEAACMCC20AAAAB"]
« Last Edit: April 15, 2016, 04:54:27 PM by DeveloperMcD »

Offline
*****
add [id "970903"] to white list

eg :
SecRuleRemoveById 970903