Need help with modsecurity/owasp

Question

Need help with modsecurity/owasp

adityabhanglekpmg opened this issue 9 months ago · 1 comments

adityabhanglekpmg commented 9 months ago

Hello, I have impletemed modsecurity/owasp in my envirionment. Most of it works but I am facing issue whenever there are query parameters in the URL. Even though the page and request is valid, the entire thing is getting blocked by a rule - 949110.

# always check threshold in phase 2
SecRule TX:BLOCKING_INBOUND_ANOMALY_SCORE "@ge %{tx.inbound_anomaly_score_threshold}" \
   "id:949110,\ 
    phase:2,\
    deny,\
    t:none,\
    msg:'Inbound Anomaly Score Exceeded (Total Score: %{TX.BLOCKING_INBOUND_ANOMALY_SCORE})',\
    tag:'anomaly-evaluation',\
    tag:'OWASP_CRS',\      
    ver:'OWASP_CRS/4.4.0'"

I tried putting a few things in my kubernetes config map but nothing seems to work. Any help on this

Answer 1 · 2025-01-30T13:17:21.000Z

Hi @adityabhanglekpmg,

please note that this is not a ModSecurity-nginx question, and not a ModSecurity question. This is definitely a coreruleset question.

Anyway, you say:

Even though the page and request is valid, the entire thing is getting blocked by a rule - 949110.

No, I'm sure the request is not valid. I'm sure there are there are many other lines before this line in the log. Perhaps you should set the level to info in your nginx.conf for your error.log. For more information, please see the documentation.

I'm going to close this issue, please open one on CRS's Github page.