31Oca
Need help with Query String parameters – GET Request
I have impletemed modsecurity/owasp in my Kubernetes environment. Most of it works but I am facing issue whenever there are query parameters in the URL. Even though the page and request is/looks valid, the entire page is getting blocked by a rule - 949110 and I see a blank page
Following is the rule that shows up in the logs and it says
# always check threshold in phase 2
SecRule TX:BLOCKING_INBOUND_ANOMALY_SCORE "@ge %{tx.inbound_anomaly_score_threshold}" \
"id:949110,\
phase:2,\
deny,\
t:none,\
msg:'Inbound Anomaly Score Exceeded (Total Score: %{TX.BLOCKING_INBOUND_ANOMALY_SCORE})',\
tag:'anomaly-evaluation',\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.4.0'"
I tried putting a few things in my kubernetes config map but nothing seems to work and my logs look like below
2025/01/30 07:28:32 [error] 1156#1156: *10161 [client x.x.x.x] ModSecurity: Access denied with code 403 (phase 2). Matched "Operator `Ge' with parameter `5' against variable `TX:BLOCKING_INBOUND_ANOMALY_SCORE' (Value: `5' ) [file "/etc/nginx/owasp-modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "222"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [data ""] [severity "0"] [ver "OWASP_CRS/4.4.0"] [maturity "0"] [accuracy "0"] [tag "anomaly-evaluation"] [tag "OWASP_CRS"] [hostname "y.y.y.y"] [uri "/suite/JSON-RPC"] [unique_id "1738222112.0855"] [ref ""], client: x.x.x.x, server: mysite.com, request: "POST /suite/JSON-RPC?appian_environment=tempo HTTP/2.0", host: "mysite.com", referrer: "https://mysite/startdesigner.none?idToOpen=19"
Any help on this
