We read every piece of feedback, and take your input very seriously.
To see all available qualifiers, see our documentation.
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
I've the following rule in REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf:
SecRule REQUEST_HEADERS:Host "@pm test.domain.com" "id:1005, phase:1, pass, nolog, ctl:ruleEngine=Off"
I want Coraza to not work for the site test.domain.com.
If I run the curl command: 'curl http://test.domain.com/\?x\=/etc/passwd' it's ok. It doesn't block anything. But if I run 'curl -A "" -H "User-Agent;" https://test.domain.com/' to send a request without the user-agent header, I get the log:
May 23 12:31:40 SERVER coraza-spoa[1167]: {"level":"info","ts":1684855900.383147,"msg":"[client "IP_ADDRESS"] Coraza: Warning. Empty User Agent Header [file "/etc/coraza-spoa/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "0"] [id "920330"] [rev ""] [msg "Empty User Agent Header"] [data ""] [severity "notice"] [ver "OWASP_CRS/4.0.0-rc1"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/210/272"] [hostname ""] [uri "/?"]\n"}
It seems that rules with ID 920xxx are executed despite my rule 1005. What can be happening? I did the same rule in Modsecurity and it works fine.
The text was updated successfully, but these errors were encountered:
No branches or pull requests
I've the following rule in REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf:
SecRule REQUEST_HEADERS:Host "@pm test.domain.com"
"id:1005,
phase:1,
pass,
nolog,
ctl:ruleEngine=Off"
I want Coraza to not work for the site test.domain.com.
If I run the curl command: 'curl http://test.domain.com/\?x\=/etc/passwd' it's ok. It doesn't block anything. But if I run 'curl -A "" -H "User-Agent;" https://test.domain.com/' to send a request without the user-agent header, I get the log:
May 23 12:31:40 SERVER coraza-spoa[1167]: {"level":"info","ts":1684855900.383147,"msg":"[client "IP_ADDRESS"] Coraza: Warning. Empty User Agent Header [file "/etc/coraza-spoa/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "0"] [id "920330"] [rev ""] [msg "Empty User Agent Header"] [data ""] [severity "notice"] [ver "OWASP_CRS/4.0.0-rc1"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/210/272"] [hostname ""] [uri "/?"]\n"}
It seems that rules with ID 920xxx are executed despite my rule 1005. What can be happening? I did the same rule in Modsecurity and it works fine.
The text was updated successfully, but these errors were encountered: