[Owasp-modsecurity-core-rule-set] CRS, friendly blocking and 5xx statuses

Mon, 09 Sep 2013 11:35:01 -0700 

Hi all,

Besides using own blocking rules, I am experimenting with the CRS in anomaly 
scoring mode. Since I like to keep most of the rules enabled and create narrow 
exceptions, I regularly get some false positives on the CRS and I really need 
to have a friendly 'blocked' page.

What seems to work for me in most situations, was changing the following 
default action in modsecurity_crs_10_setup.conf:

SecDefaultAction phase:2,pass,log,status:509

I've used the friendly error trick from the ModSecurity handbook, so my config 
also includes:

ErrorDocument 509 /modsecurity-errorpage/
Alias /modsecurity-errorpage/ /opt/httpd/etc/apache22/mod_security2/errorpage/

<Directory "/opt/httpd/etc/apache22/mod_security2/errorpage/">
Order allow,deny
Allow from all
</Directory>

In that dir, there's an index.php that sends a 403 header and some info. This 
appears to work fine for the CRS in most situations. Inbound blocking now 
displays the error page, and outbound blocking mostly seems to display it as 
well.

There seems to be one slight problem involving scripts that send a 5xx response 
status. If I trigger rules such as 970901 or 970021 in 
modsecurity_crs_50_outbound.conf by calling a PHP script which returns a 5xx 
status, such as:

<?php
header('HTTP/1.0 500 Error'); // The application is not available

I don't get the friendly error page; instead I get Apache's default "internal 
error" page which says "509 unused":

The server encountered an internal error or misconfiguration and was unable to 
complete your request. [...] Additionally, a 509 unused error was encountered 
while trying to use an ErrorDocument to handle the request.

That's even scarier than the default 403 Forbidden page! I'm puzzled why it 
would encounter a problem resolving the ErrorDocument, and I'm not sure where 
the problem is, since the trick works fine in other outbound blocking 
situations that get a 2xx status (such as open dirs).

Is there a better way to use friendly blocking in combination with the CRS, 
which (hopefully) resolves the problem with scripts returning 5xx status?

Cheers!
WH






_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
[email protected]
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set

Reply via email to