Howdy -
I have the following line in a custom file:
SecRuleRemoveById 345402
However, I'm still getting that alert in my Apache error_logs:
[Sun Nov 03 21:30:33 2013] [error] [client x.x.x.x] ModSecurity: Warning. Match of "eq 1" against "&ARGS:CSRF_TOKEN" required. [file "/etc/modsecurity/rules/70_asl_csrf_experimental.conf"] [line "80"] [id "345402"] [msg "CSRF Attack Detected - Missing CSRF Token."] [hostname "x.x.x.x"] [uri "/info.php"]
Is it supposed to still alert even though you disable that rule, or is something else wrong?
Thanks!
Disabling a rule doesn't stop the notification?
- mikeshinn
- Atomicorp Staff - Site Admin
- Posts: 4149
- Joined: Thu Feb 07, 2008 7:49 pm
- Location: Chantilly, VA
Re: Disabling a rule doesn't stop the notification?
Thanks for the question. So first, thank you for using our rules.
To disable a rule, make sure you use that directive after the rule has been loaded. If your SecRuleRemoveById 345402 comes before the rule is loaded it wont have any effect.
Second, that rule is part of the experimental CSRF protection rules. Unless you're comfortable tuning those rules by hand, you probably dont want to use them.
To disable a rule, make sure you use that directive after the rule has been loaded. If your SecRuleRemoveById 345402 comes before the rule is loaded it wont have any effect.
Second, that rule is part of the experimental CSRF protection rules. Unless you're comfortable tuning those rules by hand, you probably dont want to use them.
Michael Shinn
Atomicorp - Security For Everyone
Atomicorp - Security For Everyone
Re: Disabling a rule doesn't stop the notification?
Thanks for the quick response! Greatly appreciated.mikeshinn wrote:Thanks for the question. So first, thank you for using our rules.
To disable a rule, make sure you use that directive after the rule has been loaded. If your SecRuleRemoveById 345402 comes before the rule is loaded it wont have any effect.
Second, that rule is part of the experimental CSRF protection rules. Unless you're comfortable tuning those rules by hand, you probably dont want to use them.
I don't remember which tutorial I used, but it said just to do include /etc/modsecurity/rules/*.conf, so it's including all rules.
Do you suggest I manually add each include instead, or is there an easier way to skip the 'experimental' rules?
- mikeshinn
- Atomicorp Staff - Site Admin
- Posts: 4149
- Joined: Thu Feb 07, 2008 7:49 pm
- Location: Chantilly, VA
Re: Disabling a rule doesn't stop the notification?
Yeah, you dont want to load all the rules. There are rules in there that are different "versions" of the same rules. This is the tutorial you want to follow:
https://www.atomicorp.com/wiki/index.ph ... rity_Rules
And yes, you want to load rule files individually. Heres the basic set we recommend for most users, but do read the whole article as it explains what each ruleset does as the defaults may not be appropriate for your needs.
https://www.atomicorp.com/wiki/index.ph ... m_rulesets
https://www.atomicorp.com/wiki/index.ph ... rity_Rules
And yes, you want to load rule files individually. Heres the basic set we recommend for most users, but do read the whole article as it explains what each ruleset does as the defaults may not be appropriate for your needs.
https://www.atomicorp.com/wiki/index.ph ... m_rulesets
Michael Shinn
Atomicorp - Security For Everyone
Atomicorp - Security For Everyone