-
-
Notifications
You must be signed in to change notification settings - Fork 344
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Changed behavior with httpd/mod_security due outbound anomaly score resetting in v4.2.0 #3696
Comments
Hi @arminabf, thanks for reporting. First of all, could you explain why does it need to install CRS 3.3.5 and upgrade that to 4.2.0? Does it need it just to see the difference? |
To understand the issue, I think we need your logs - only lines which show the cause of 403. Could you share that? |
Hi @airween
Correct, this is just to see the different behavior between both versions. |
Maybe @studersi wants to chime in here... |
This is interesting. I have not recreated this setup and I do not really understand it yet. @arminabf would you mind sharing your logs for the entire session (access to /, then redirect, then subsequent request. If this is true, it's a very interesting effect. I would prefer to keep initialization in phase 1 of course, but if it has to be, then shifting should not mean a problem on other platforms, I guess. |
@arminabf could you share your logs with us? You send it to security@coreruleset.org, if you don't want/can't share them here. |
Hi, this is the audit_log entry with v3.3.5
and this is the audit_log of the same request with v4.2.0
Note that for debugging purposes following rule has been added to v3.3.5
and for v4.2.0 the rule 959100 has been changed following:
This way the audit_log's clearly show that "Total Score" and "Threshold" are not set for v3.3.5, whereas for v4.2.0 only "Threshold" is not set. Attached is also detailed information for both requests with "SecDebugLogLevel 9" set. |
Affected Products:
Description:
Upgrading OWASP CRS from v3.3.5 to v4.2.0 in conjunction with mod_security on Apache httpd causes issues
when using RedirectMatch on virtual-host scope.
Steps to Reproduce:
RedirectMatch ^/$ https://<FQDN>/new/path
Technical Details
The different behaviour appears to be related to newly introduced rules in v4.2.0 with IDs 959059 and 959159.
These rules (re)set specific anomaly scores (blocking_outbound_anomaly_score and _detection_outbound_anomaly_score)
to 0, leading to comparison of scores to yet uninitialized thresholds in the evaluation phase.
Analysis
Testing out pointed to those both rules as temporarily removing them leads to the same behavior as with CRS v3.3.5.
A further test showed that moving RedirectMatch into a <Location> also leads to a correct redirection as thresholds are then properly initialized.
Proposal
We propose to initialize threshold values in REQUEST-901-INITIALIZATION.conf and in crs-setup.conf.example on phase 3 instead of phase 1.
The text was updated successfully, but these errors were encountered: