Hello, I have just configured mod_security (2.6) with rule set 2.2.1. My website runs wordpress 3.2.1. mod-sec is running in detection only mode.
As soon as I restarted apache, I saw many warnings in the error log as visitors come to the site. First, visitors were denied access because of a false positive on cookie session hijacking, then when I disabled optional_rules altogether, I started getting warnings about SQLi attacks when I tried to login to the admin panel of wordpress. Here's a sample of the error of the SQLi warning: [Thu Sep 01 01:57:35 2011] [error] [client 98.158.123.158] ModSecurity: Warning. Operator GE matched 5 at TX:restricted_sqli_char_count. [file "/etc/modsecurity/modsecurity-crs/2.2.1/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "551"] [id "981173"] [rev "2.2.1"] [msg "Restricted SQL Character Anomaly Detection Alert - Total # of special characters exceeded"] [data "9"] [hostname "xyz.com"] [uri "/wp-admin/admin.php"] [unique_id "Tl68X04vrrwAAEeUFbUAAAAF"] [Thu Sep 01 01:57:36 2011] [error] [client 98.158.123.158] ModSecurity: Warning. Operator LT matched 5 at TX:inbound_anomaly_score. [file "/etc/modsecurity/modsecurity-crs/2.2.1/base_rules/modsecurity_crs_60_correlation.conf"] [line "33"] [id "981203"] [msg "Inbound Anomaly Score (Total Inbound Score: 3, SQLi=10, XSS=): Restricted SQL Character Anomaly Detection Alert - Total # of special characters exceeded"] [hostname "xyz.com"] [uri "/wp-admin/admin.php"] [unique_id "Tl68X04vrrwAAEeUFbUAAAAF"] (Note: I renamed the domain name to xyz.com) I tried increasing the @ge value from 4 to 5, and it stopped the warnings from showing when only browsing the login page, but after I login, the warnings keep pouring. I don't know what is a suitable value to be put there. _______________________________________________ Owasp-modsecurity-core-rule-set mailing list [email protected] https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
