Mod Security Core Rule Set: Difference between revisions
No edit summary |
No edit summary |
||
| Line 1: | Line 1: | ||
=Issue= | |||
> Can you advise on guidelines for avoiding WAF mod_security issues? Right | > Can you advise on guidelines for avoiding WAF mod_security issues? Right | ||
> now there are OSEmail pains-in-ass in that I have to verify often whether a | > now there are OSEmail pains-in-ass in that I have to verify often whether a | ||
| Line 4: | Line 5: | ||
> the forbidden characters to watch out for? | > the forbidden characters to watch out for? | ||
=Solution= | |||
I'm sorry to hear that. Please, please let me know when you encounter | I'm sorry to hear that. Please, please let me know when you encounter | ||
issues like this! Be sure to send me the information I need to reproduce | issues like this! Be sure to send me the information I need to reproduce | ||
Latest revision as of 20:18, 6 December 2019
Issue
> Can you advise on guidelines for avoiding WAF mod_security issues? Right > now there are OSEmail pains-in-ass in that I have to verify often whether a > save error results when I include links and other punctuation. What are all > the forbidden characters to watch out for?
Solution
I'm sorry to hear that. Please, please let me know when you encounter issues like this! Be sure to send me the information I need to reproduce it and whitelist the false-positive in mod_security.
https://wiki.opensourceecology.org/wiki/Web_server_configuration#mod_security
There's literally hundreds of rules that we use in mod_security by default, which are published by OWASP called the CRS (Core Rule Set). They need to be tuned appropriately, disabling rules that don't play well with the specific web application (wordpress, mediawiki, phplist, etc).
https://github.com/SpiderLabs/owasp-modsecurity-crs/
https://www.netnea.com/cms/apache-tutorial-8_handling-false-positives-modsecurity-core-rule-set/