I am using Apache 2.4.29 and just updated to the latest OWASP rules. When a cookie named usprivacy containing 1--- is present, the mod_security module returns a 403 error. I suspect its one of SQL injection attack rules, but so far I have not been able to identify which. I have tried with:

SecRuleRemoveById 942440 942280 942180 942210 942300 942340 942370

But still I get the 403 error when the usprivacy cookie appears.

Do you have any ideas on which rule could be causing the issue, or if this is the right track to tackle the problem?

CodePudding user response：

Check your Apache error log to see what is happening (or the audit logs, if you have those enabled). If ModSecurity rules are being triggered then there should be log lines to describe what is happening.

You should see a descriptive summary message, like:

ModSecurity: Warning. Pattern match "^[\\\\d.:] $" at REQUEST_HEADERS:Host

The rule being triggered:

[id "960017"]

Also, other useful information about what caused the rule in question to match is often included, like:

[msg "Host header is a numeric IP address"] [data "10.0.100.4"]

Using the information from the logs, you can write rule exclusions to resolve the issue(s). As you mentioned, SecRuleRemoveById is one method of writing rule exclusions, however this is a bit of a blunt instrument (although it is the easiest way of excluding ModSecurity rules).

For more information on the different ways of writing rule exclusions, there is a great reference tutorial available here.