Author Topic: OWASP CRS/PROTOCOL VIOLATION/IP HOST  (Read 4987 times)

0 Members and 1 Guest are viewing this topic.

Offline
*
OWASP CRS/PROTOCOL VIOLATION/IP HOST
« on: April 06, 2020, 09:14:31 PM »
Thanks to all forum volunteers

add a Rule Id920350 add my server mod Security

But the server still has strange behavior
check the apache logs

[Mon Apr 06 21:57:14.586497 2020] [:error] [pid 19905:tid 140019146647296] [client 169.197.108.38:33480] [client 169.197.108.38] ModSecurity: Warning. Pattern match "^[\\\\d.:]+$" at REQUEST_HEADERS:Host. [file "/usr/local/apache/modsecurity-owasp-latest/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "793"] [id "920350"] [rev "2"] [msg "Host header is a numeric IP address"] [data "on here IP my server"] [severity "WARNING"] [ver "OWASP_CRS/3.0.0"] [maturity "9"] [accuracy "9"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "OWASP_CRS/PROTOCOL_VIOLATION/IP_HOST"] [tag "WASCTC/WASC-21"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"] [hostname "on here IP my server"] [uri "/"] [unique_id "XouJmgnUnhjrjhrgigvuTG4YQAAAEw"]





And I say again as I already said in several posts here in the Forum, and I did not solve the problem .. I turn off the mod Security and apache does not connect in any way.


Thanks to all forum volunteers
Jony Host

Re: OWASP CRS/PROTOCOL VIOLATION/IP HOST
« Reply #1 on: April 06, 2020, 11:13:30 PM »
Are you using plain Apache or with add-ons eg. nginx/varnish?

You've masked the actual file where you are using the exclusions, so difficult to assess: presumably it's /usr/local/apache/conf/userdata/user_name/user_domain/modsec.conf
What happens when you remove those and put them in /usr/local/apache/modsecurity-owasp-latest/global_disabled_rules.conf ?

CWP GUI gives no indication that a per user configuration is being included (and would explain why your rules aren't being actioned). If the above isn't suitable and/or doesn't solve the issue, try the following:
Press "Main Configuration" at RHS
Add
Code: [Select]
Include /usr/local/apache/conf/userdata/*/*/modsec.conf before the final </IfModule> line

Use at your own risk.
« Last Edit: April 06, 2020, 11:48:41 PM by ejsolutions »

Re: OWASP CRS/PROTOCOL VIOLATION/IP HOST
« Reply #2 on: April 06, 2020, 11:40:19 PM »
Made me review my own mod_sec log on the live client site and noticed localhost /server_status being flagged - goes to investigate how to exclude.

Offline
****
Google Hangouts:  rcschaff82@gmail.com

Offline
*
Re: OWASP CRS/PROTOCOL VIOLATION/IP HOST
« Reply #4 on: April 07, 2020, 02:54:22 AM »
Are you using plain Apache or with add-ons eg. nginx/varnish?

You've masked the actual file where you are using the exclusions, so difficult to assess: presumably it's /usr/local/apache/conf/userdata/user_name/user_domain/modsec.conf
What happens when you remove those and put them in /usr/local/apache/modsecurity-owasp-latest/global_disabled_rules.conf ?

CWP GUI gives no indication that a per user configuration is being included (and would explain why your rules aren't being actioned). If the above isn't suitable and/or doesn't solve the issue, try the following:
Press "Main Configuration" at RHS
Add
Code: [Select]
Include /usr/local/apache/conf/userdata/*/*/modsec.conf before the final </IfModule> line

Use at your own risk.



Hello friend of the forum, Thanks for helping ..

I'm using Nginx & Varnish & Apache
Jony Host

Offline
*
Re: OWASP CRS/PROTOCOL VIOLATION/IP HOST
« Reply #5 on: April 07, 2020, 02:57:55 AM »
https://www.liquidweb.com/kb/whitelisting-in-modsec/

          This site is helping a lot thanks

                      ---------//--------

I guarantee my Feedback on the CWP wiki site I will give no-good at all. very poorly done tutorials .. It's sad. I don't blame them, I just don't have enough knowledge. But I will always see CWP wiki which explains Rules and Mod Security is basic .. I know it has to do with the Firewall. But the wiki has to improve the content more ...

Hello friend of the forum, Thanks for helping ..

« Last Edit: April 07, 2020, 03:44:46 AM by jony »
Jony Host