mod_security audit log

[LawsHosting]

Why is this log in json style? It's hard to follow.......

The generic apache error log is much better.

* Using OWASP rules now and removed CWAF plugin

 

[LawsHosting]

Ever since changing to OWASP, rules are getting hit when clients edit (some content in) Wordpress posts eg.

Rules 932105 and 941100.

It's a burden more than a security measure.

 

[LawsHosting]

Had to turn it off......

NoScript XSS InjectionChecker: HTML Injection
URL file extension is restricted by policy
Remote Command Execution: Unix Shell Expression Found
blah blah

 

[LawsHosting]

You can't even just block scanning of the wp-admin folder with DA unlike you can with CWAF, can you?

 

[LawsHosting]

Of course, everything is geared towards Evolution....... If this is the case, why not just dump Enhanced totally.......

Logs work in Evolution.....

 

[factor]

everything is geared towards Evolution

Well it is the standard and default skin. I don’t understand why some don’t seem to get it (I don’t only mean you). It’s like a lot of the veterans just cant move on. You are supposed to stop using the old outdated and move to the new skin. I mean why did they make it except for it to be used. Sorry if I hijacked the post.

 

[LawsHosting]

Then get rid of Enhanced...... The Lego thing doesn't work either......

It's no secret that I do not like Evolution, never have

 

[Wanabo]

Ever since changing to OWASP, rules are getting hit when clients edit (some content in) Wordpress posts eg.

Rules 932105 and 941100.

It's a burden more than a security measure.

Not recommended, but you could remove:
REQUEST-932-APPLICATION-ATTACK-RCE.conf which has rule 932105 inside.
REQUEST-941-APPLICATION-ATTACK-XSS.conf which has rule 941100 inside.

This way you prevent other rules to cause troubles as well, but you trow away a lot of protection.


Or exclude the rules in:
RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf
SecRuleRemoveById 932105
SecRuleRemoveById 941100

But this requires monitoring of your logs to find out what rules to remove. Safer but more work.
In stead of monitoring my logs, I check the lfd messages from csf firewall. I can see if it is a user or a hacker from the ip address.

 

[LawsHosting]

Can't I just add

SecRule REQUEST_URI "^/wp-admin/"  "phase:1,allow,id:'nnnn',ctl:ruleEngine=off"

 

[Wanabo]

Yes I believe it will. Take a look in REQUEST-903.9002-WORDPRESS-EXCLUSION-RULES for ideas.