Modsecurity - REQUEST_URI allow rule is not working












-1














We have following rules that are not working and we wanted to white list this warning ( in event viewer ), which contains "testinguri" in URI.




  1. SecRule REQUEST_URI "@contains testinguri?op=message" "id:200006,phase:1,nolog,allow,ctl:ruleEngine=DetectionOnly,msg:'Test 1'"


  2. SecRule REQUEST_URI "@beginsWith /en-us/testinguri?op=message" "id:200007,phase:1,nolog,allow,ctl:ruleEngine=DetectionOnly,msg:'Test 2'"


  3. SecRule REQUEST_URI "^/en-us/testinguri?op=message.*" "id:200008,phase:1,nolog,allow,ctl:ruleEngine=DetectionOnly,msg:'Test 3'"


  4. SecRule REQUEST_URI "@contains testinguri" "id:200009,phase:1,nolog,allow,ctl:ruleEngine=DetectionOnly,msg:'Test 4'"



Above rules are for same purpose but we put them if any version of the rule works but no luck.



Below is the warning in the event viewer and we want to allow the URI that have "testinguri" in it. It is running in Detection mode right now.



ModSecurity: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "C:Program FilesModSecurity IISowasp-modsecurity-crs/rules/RESPONSE-980-CORRELATION.conf"] [line "86"]
[id "980130"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 5 - SQLI=0,XSS=0,RFI=0,LFI=0,RCE=5,PHPI=0,HTTP=0,SESS=0): Remote Command Execution: Windows Command Injection; individual paranoia level scores: 5, 0, 0, 0"] [tag "event-correlation"] [hostname "computerName"] [uri "/en-us/testinguri?op=message&to=FULL URI..."] [unique_id "454534234234234"]



Can you please help on this. Thanks.










share|improve this question





























    -1














    We have following rules that are not working and we wanted to white list this warning ( in event viewer ), which contains "testinguri" in URI.




    1. SecRule REQUEST_URI "@contains testinguri?op=message" "id:200006,phase:1,nolog,allow,ctl:ruleEngine=DetectionOnly,msg:'Test 1'"


    2. SecRule REQUEST_URI "@beginsWith /en-us/testinguri?op=message" "id:200007,phase:1,nolog,allow,ctl:ruleEngine=DetectionOnly,msg:'Test 2'"


    3. SecRule REQUEST_URI "^/en-us/testinguri?op=message.*" "id:200008,phase:1,nolog,allow,ctl:ruleEngine=DetectionOnly,msg:'Test 3'"


    4. SecRule REQUEST_URI "@contains testinguri" "id:200009,phase:1,nolog,allow,ctl:ruleEngine=DetectionOnly,msg:'Test 4'"



    Above rules are for same purpose but we put them if any version of the rule works but no luck.



    Below is the warning in the event viewer and we want to allow the URI that have "testinguri" in it. It is running in Detection mode right now.



    ModSecurity: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "C:Program FilesModSecurity IISowasp-modsecurity-crs/rules/RESPONSE-980-CORRELATION.conf"] [line "86"]
    [id "980130"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 5 - SQLI=0,XSS=0,RFI=0,LFI=0,RCE=5,PHPI=0,HTTP=0,SESS=0): Remote Command Execution: Windows Command Injection; individual paranoia level scores: 5, 0, 0, 0"] [tag "event-correlation"] [hostname "computerName"] [uri "/en-us/testinguri?op=message&to=FULL URI..."] [unique_id "454534234234234"]



    Can you please help on this. Thanks.










    share|improve this question



























      -1












      -1








      -1







      We have following rules that are not working and we wanted to white list this warning ( in event viewer ), which contains "testinguri" in URI.




      1. SecRule REQUEST_URI "@contains testinguri?op=message" "id:200006,phase:1,nolog,allow,ctl:ruleEngine=DetectionOnly,msg:'Test 1'"


      2. SecRule REQUEST_URI "@beginsWith /en-us/testinguri?op=message" "id:200007,phase:1,nolog,allow,ctl:ruleEngine=DetectionOnly,msg:'Test 2'"


      3. SecRule REQUEST_URI "^/en-us/testinguri?op=message.*" "id:200008,phase:1,nolog,allow,ctl:ruleEngine=DetectionOnly,msg:'Test 3'"


      4. SecRule REQUEST_URI "@contains testinguri" "id:200009,phase:1,nolog,allow,ctl:ruleEngine=DetectionOnly,msg:'Test 4'"



      Above rules are for same purpose but we put them if any version of the rule works but no luck.



      Below is the warning in the event viewer and we want to allow the URI that have "testinguri" in it. It is running in Detection mode right now.



      ModSecurity: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "C:Program FilesModSecurity IISowasp-modsecurity-crs/rules/RESPONSE-980-CORRELATION.conf"] [line "86"]
      [id "980130"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 5 - SQLI=0,XSS=0,RFI=0,LFI=0,RCE=5,PHPI=0,HTTP=0,SESS=0): Remote Command Execution: Windows Command Injection; individual paranoia level scores: 5, 0, 0, 0"] [tag "event-correlation"] [hostname "computerName"] [uri "/en-us/testinguri?op=message&to=FULL URI..."] [unique_id "454534234234234"]



      Can you please help on this. Thanks.










      share|improve this question















      We have following rules that are not working and we wanted to white list this warning ( in event viewer ), which contains "testinguri" in URI.




      1. SecRule REQUEST_URI "@contains testinguri?op=message" "id:200006,phase:1,nolog,allow,ctl:ruleEngine=DetectionOnly,msg:'Test 1'"


      2. SecRule REQUEST_URI "@beginsWith /en-us/testinguri?op=message" "id:200007,phase:1,nolog,allow,ctl:ruleEngine=DetectionOnly,msg:'Test 2'"


      3. SecRule REQUEST_URI "^/en-us/testinguri?op=message.*" "id:200008,phase:1,nolog,allow,ctl:ruleEngine=DetectionOnly,msg:'Test 3'"


      4. SecRule REQUEST_URI "@contains testinguri" "id:200009,phase:1,nolog,allow,ctl:ruleEngine=DetectionOnly,msg:'Test 4'"



      Above rules are for same purpose but we put them if any version of the rule works but no luck.



      Below is the warning in the event viewer and we want to allow the URI that have "testinguri" in it. It is running in Detection mode right now.



      ModSecurity: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "C:Program FilesModSecurity IISowasp-modsecurity-crs/rules/RESPONSE-980-CORRELATION.conf"] [line "86"]
      [id "980130"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 5 - SQLI=0,XSS=0,RFI=0,LFI=0,RCE=5,PHPI=0,HTTP=0,SESS=0): Remote Command Execution: Windows Command Injection; individual paranoia level scores: 5, 0, 0, 0"] [tag "event-correlation"] [hostname "computerName"] [uri "/en-us/testinguri?op=message&to=FULL URI..."] [unique_id "454534234234234"]



      Can you please help on this. Thanks.







      mod-security web-application-firewall






      share|improve this question















      share|improve this question













      share|improve this question




      share|improve this question








      edited Nov 21 '18 at 9:04









      neuro

      11.8k32855




      11.8k32855










      asked Nov 12 '18 at 13:05









      Question and AnswerQuestion and Answer

      386




      386
























          1 Answer
          1






          active

          oldest

          votes


















          0














          We were able to figure it out. So created a conf file test.conf and put the rules in that that we wanted to white list.



          Then in the modsecurity_iis.conf file added this files reference at last.



          This works for us. Hope this will help someone. Thanks.






          share|improve this answer























            Your Answer






            StackExchange.ifUsing("editor", function () {
            StackExchange.using("externalEditor", function () {
            StackExchange.using("snippets", function () {
            StackExchange.snippets.init();
            });
            });
            }, "code-snippets");

            StackExchange.ready(function() {
            var channelOptions = {
            tags: "".split(" "),
            id: "1"
            };
            initTagRenderer("".split(" "), "".split(" "), channelOptions);

            StackExchange.using("externalEditor", function() {
            // Have to fire editor after snippets, if snippets enabled
            if (StackExchange.settings.snippets.snippetsEnabled) {
            StackExchange.using("snippets", function() {
            createEditor();
            });
            }
            else {
            createEditor();
            }
            });

            function createEditor() {
            StackExchange.prepareEditor({
            heartbeatType: 'answer',
            autoActivateHeartbeat: false,
            convertImagesToLinks: true,
            noModals: true,
            showLowRepImageUploadWarning: true,
            reputationToPostImages: 10,
            bindNavPrevention: true,
            postfix: "",
            imageUploader: {
            brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
            contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
            allowUrls: true
            },
            onDemand: true,
            discardSelector: ".discard-answer"
            ,immediatelyShowMarkdownHelp:true
            });


            }
            });














            draft saved

            draft discarded


















            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53262814%2fmodsecurity-request-uri-allow-rule-is-not-working%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown

























            1 Answer
            1






            active

            oldest

            votes








            1 Answer
            1






            active

            oldest

            votes









            active

            oldest

            votes






            active

            oldest

            votes









            0














            We were able to figure it out. So created a conf file test.conf and put the rules in that that we wanted to white list.



            Then in the modsecurity_iis.conf file added this files reference at last.



            This works for us. Hope this will help someone. Thanks.






            share|improve this answer




























              0














              We were able to figure it out. So created a conf file test.conf and put the rules in that that we wanted to white list.



              Then in the modsecurity_iis.conf file added this files reference at last.



              This works for us. Hope this will help someone. Thanks.






              share|improve this answer


























                0












                0








                0






                We were able to figure it out. So created a conf file test.conf and put the rules in that that we wanted to white list.



                Then in the modsecurity_iis.conf file added this files reference at last.



                This works for us. Hope this will help someone. Thanks.






                share|improve this answer














                We were able to figure it out. So created a conf file test.conf and put the rules in that that we wanted to white list.



                Then in the modsecurity_iis.conf file added this files reference at last.



                This works for us. Hope this will help someone. Thanks.







                share|improve this answer














                share|improve this answer



                share|improve this answer








                edited 2 days ago









                Bsquare

                3,13131033




                3,13131033










                answered 2 days ago









                Question and AnswerQuestion and Answer

                386




                386






























                    draft saved

                    draft discarded




















































                    Thanks for contributing an answer to Stack Overflow!


                    • Please be sure to answer the question. Provide details and share your research!

                    But avoid



                    • Asking for help, clarification, or responding to other answers.

                    • Making statements based on opinion; back them up with references or personal experience.


                    To learn more, see our tips on writing great answers.




                    draft saved


                    draft discarded














                    StackExchange.ready(
                    function () {
                    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53262814%2fmodsecurity-request-uri-allow-rule-is-not-working%23new-answer', 'question_page');
                    }
                    );

                    Post as a guest















                    Required, but never shown





















































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown

































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown







                    Popular posts from this blog

                    Full-time equivalent

                    さくらももこ

                    13 indicted, 8 arrested in Calif. drug cartel investigation