Something I don't understand. Here is a sample:
--6e7a4c70-E--
--6e7a4c70-H--
Message: Warning. Operator GE matched 5 at TX:anomaly_score. [file
"/etc/httpd/owasp-modsecurity-crs-3.0.0/rules/REQUEST-949-BLOCKING-EVALUATION.conf"]
[line "57"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total
Score: 5)"] [severity "CRITICAL"] [tag "application-multi"] [tag
"language-multi"] [tag "platform-multi"] [tag "attack-generic"]
Message: Warning. Operator GE matched 5 at TX:inbound_anomaly_score.
[file
"/etc/httpd/owasp-modsecurity-crs-3.0.0/rules/RESPONSE-980-CORRELATION.conf"]
[line "73"] [id "980130"] [msg "Inbound Anomaly Score Exceeded (Total
Inbound Score: 5 - SQLI=0,XSS=5,RFI=0,LFI=0,RCE=0,PHPI=0,HTTP=0,SESS=0):
Engine-Mode: "DETECTION_ONLY"
--6e7a4c70-Z--
I tried to post the entire log entry, but the barracuda that protects
this list objected. I'm hoping that cutting down the content will work.
So I know that this is some sort of XSS problem, but no more than that.
I checked with our web apps people, and the url parameters are quite
legitimate.
What is the underlying rule that triggered this? More importantly, how
would I tell?
Finally, how do I turn this off so that the call continues to work once
we take ModSecurity out of DETECTION_ONLY?
Thanks
Ed
_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
Owasp-modsecurity-core-rule-set@lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
