Hello
We have a ton of false positive with rules 340206 under "/usr/local/apache/conf/modsec_rules/70_asl_csrf_experimental.conf"
So, we have first try to disable rule for user : not work
after, we try to disable rule for user and domain : not work
after, we try to disable rule globally : not work
Best regards
disable rule not work
Re: disable rule not work
If you are using the payed rules, you have to be aware that some rules only work with ASL HARDENING, and the set of 70_asl_csrf_experimental.conf is one of them and is not needed with CSF, you can delete that set of rules. You can contact ASL support and they will confirm this.
Sergio
Sergio
Re: disable rule not work
Hi
Same issue on other server, but this time rules is standard cpanel (960032)
We whitelist but still ignored
:/
Same issue on other server, but this time rules is standard cpanel (960032)
We whitelist but still ignored
:/
Re: disable rule not work
Try the following:
- Enter into CSF GUI and go to "SEARCH SYSTEM LOGS".
- Select the first log option "/usr/local/apache/logs/error_logs"
- Search the string: 960032 using the "Detach" option
Paste here some of the lines that you got there.
- Enter into CSF GUI and go to "SEARCH SYSTEM LOGS".
- Select the first log option "/usr/local/apache/logs/error_logs"
- Search the string: 960032 using the "Detach" option
Paste here some of the lines that you got there.
Re: disable rule not work
Hi Sergio
Last rows:
[Mon Jan 13 13:49:34 2014] [error] [client 77.xx.xx.xx] ModSecurity: Access denied with code 501 (phase 2). Match of "rx ^((?:(?:POS|GE)T|OPTIONS|HEAD))$" against "REQUEST_METHOD" required. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "39"] [id "960032"] [msg "Method is not allowed by policy"] [severity "CRITICAL"] [tag "POLICY/METHOD_NOT_ALLOWED"] [hostname "xxx.myhost.com"] [uri "/"] [unique_id "UtPg3k1d-@0AAHyxBsUAAAAI"]
[Mon Jan 13 14:04:09 2014] [error] [client 54.xx.xx.xx] ModSecurity: Access denied with code 501 (phase 2). Match of "rx ^((?:(?:POS|GE)T|OPTIONS|HEAD))$" against "REQUEST_METHOD" required. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "39"] [id "960032"] [msg "Method is not allowed by policy"] [severity "CRITICAL"] [tag "POLICY/METHOD_NOT_ALLOWED"] [hostname "xxx.myhost.com"] [uri "/"] [unique_id "UtPkSU1d-@0AACWhPxkAAAAK"]
[Mon Jan 13 14:04:09 2014] [error] [client 54.xx.xx.xx] ModSecurity: Access denied with code 501 (phase 2). Match of "rx ^((?:(?:POS|GE)T|OPTIONS|HEAD))$" against "REQUEST_METHOD" required. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "39"] [id "960032"] [msg "Method is not allowed by policy"] [severity "CRITICAL"] [tag "POLICY/METHOD_NOT_ALLOWED"] [hostname "xxx.myhost.com"] [uri "/"] [unique_id "UtPkSU1d-@0AAD6LXpwAAAAG"]
[Mon Jan 13 14:43:06 2014] [error] [client 93.xx.xx.xx] ModSecurity: Access denied with code 501 (phase 2). Match of "rx ^((?:(?:POS|GE)T|OPTIONS|HEAD))$" against "REQUEST_METHOD" required. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "39"] [id "960032"] [msg "Method is not allowed by policy"] [severity "CRITICAL"] [tag "POLICY/METHOD_NOT_ALLOWED"] [hostname "xxx.myhost.com"] [uri "/"] [unique_id "UtPtak1d-@0AAExDWgYAAAAf"]
[Mon Jan 13 15:29:56 2014] [error] [client 93.xx.xx.xx] ModSecurity: Access denied with code 501 (phase 2). Match of "rx ^((?:(?:POS|GE)T|OPTIONS|HEAD))$" against "REQUEST_METHOD" required. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "39"] [id "960032"] [msg "Method is not allowed by policy"] [severity "CRITICAL"] [tag "POLICY/METHOD_NOT_ALLOWED"] [hostname "xxx.myhost.com"] [uri "/"] [unique_id "UtP4ZE1d-@0AAHtkJrwAAAAE"]
Last rows:
[Mon Jan 13 13:49:34 2014] [error] [client 77.xx.xx.xx] ModSecurity: Access denied with code 501 (phase 2). Match of "rx ^((?:(?:POS|GE)T|OPTIONS|HEAD))$" against "REQUEST_METHOD" required. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "39"] [id "960032"] [msg "Method is not allowed by policy"] [severity "CRITICAL"] [tag "POLICY/METHOD_NOT_ALLOWED"] [hostname "xxx.myhost.com"] [uri "/"] [unique_id "UtPg3k1d-@0AAHyxBsUAAAAI"]
[Mon Jan 13 14:04:09 2014] [error] [client 54.xx.xx.xx] ModSecurity: Access denied with code 501 (phase 2). Match of "rx ^((?:(?:POS|GE)T|OPTIONS|HEAD))$" against "REQUEST_METHOD" required. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "39"] [id "960032"] [msg "Method is not allowed by policy"] [severity "CRITICAL"] [tag "POLICY/METHOD_NOT_ALLOWED"] [hostname "xxx.myhost.com"] [uri "/"] [unique_id "UtPkSU1d-@0AACWhPxkAAAAK"]
[Mon Jan 13 14:04:09 2014] [error] [client 54.xx.xx.xx] ModSecurity: Access denied with code 501 (phase 2). Match of "rx ^((?:(?:POS|GE)T|OPTIONS|HEAD))$" against "REQUEST_METHOD" required. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "39"] [id "960032"] [msg "Method is not allowed by policy"] [severity "CRITICAL"] [tag "POLICY/METHOD_NOT_ALLOWED"] [hostname "xxx.myhost.com"] [uri "/"] [unique_id "UtPkSU1d-@0AAD6LXpwAAAAG"]
[Mon Jan 13 14:43:06 2014] [error] [client 93.xx.xx.xx] ModSecurity: Access denied with code 501 (phase 2). Match of "rx ^((?:(?:POS|GE)T|OPTIONS|HEAD))$" against "REQUEST_METHOD" required. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "39"] [id "960032"] [msg "Method is not allowed by policy"] [severity "CRITICAL"] [tag "POLICY/METHOD_NOT_ALLOWED"] [hostname "xxx.myhost.com"] [uri "/"] [unique_id "UtPtak1d-@0AAExDWgYAAAAf"]
[Mon Jan 13 15:29:56 2014] [error] [client 93.xx.xx.xx] ModSecurity: Access denied with code 501 (phase 2). Match of "rx ^((?:(?:POS|GE)T|OPTIONS|HEAD))$" against "REQUEST_METHOD" required. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "39"] [id "960032"] [msg "Method is not allowed by policy"] [severity "CRITICAL"] [tag "POLICY/METHOD_NOT_ALLOWED"] [hostname "xxx.myhost.com"] [uri "/"] [unique_id "UtP4ZE1d-@0AAHtkJrwAAAAE"]
Re: disable rule not work
Ok, now do this:
look at /usr/local/apache/conf/modsec2.user.conf and copy here the code that is in line "39".
look at /usr/local/apache/conf/modsec2.user.conf and copy here the code that is in line "39".
Re: disable rule not work
# allow request methods
SecRule REQUEST_METHOD "!^((?:(?:POS|GE)T|OPTIONS|HEAD))$" \
"phase:2,t:none,log,auditlog,status:501,msg:'Method is not allowed by policy', severity:'2',id:'960032',tag:'POLICY/METHOD_NOT_ALLOWED'"
line 39 is
"phase:2,t:none,log,auditlog,status:501,msg:'Method is not allowed by policy', severity:'2',id:'960032',tag:'POLICY/METHOD_NOT_ALLOWED'"
SecRule REQUEST_METHOD "!^((?:(?:POS|GE)T|OPTIONS|HEAD))$" \
"phase:2,t:none,log,auditlog,status:501,msg:'Method is not allowed by policy', severity:'2',id:'960032',tag:'POLICY/METHOD_NOT_ALLOWED'"
line 39 is
"phase:2,t:none,log,auditlog,status:501,msg:'Method is not allowed by policy', severity:'2',id:'960032',tag:'POLICY/METHOD_NOT_ALLOWED'"
Re: disable rule not work
If you don't want to use this rule in your server, you can disable it just adding a remark "#" (without the quotes) to the "SecRule" line.webstyler wrote:# allow request methods
SecRule REQUEST_METHOD "!^((?:(?:POS|GE)T|OPTIONS|HEAD))$" \
"phase:2,t:none,log,auditlog,status:501,msg:'Method is not allowed by policy', severity:'2',id:'960032',tag:'POLICY/METHOD_NOT_ALLOWED'"
line 39 is
"phase:2,t:none,log,auditlog,status:501,msg:'Method is not allowed by policy', severity:'2',id:'960032',tag:'POLICY/METHOD_NOT_ALLOWED'"
By the way, Why are you using this rule inside your modsec2.user.conf file? Do you have other rules inside that file?
Re: disable rule not work
For this server all rules is define inside the modsec2.user.conf as by default cpanel
Re: disable rule not work
Ok, cpanel rules are not the best ones, you should consider using a better set of rules.
In the mean time, just disable the rule that is causing you the error and you are all set.
In the mean time, just disable the rule that is causing you the error and you are all set.