• caglararli@hotmail.com
  • 05386281520

How do I unblock a request uri in Modsecurity CRS?

Çağlar Arlı      -    28 Views

How do I unblock a request uri in Modsecurity CRS?

I have installed a Nginx WAF with Modsecurity CRS. This WAF protects a backend WordPress.

One request from one of the plugins generated a false positive on the Modsecurity with the rule id 933120.

I identified it in the audit log, studied it, and created a exclusion rule as it follows:

SecRule REQUEST_URI "@beginsWith /wp-admin/admin.php?page=wp-mail-smtp" \
    "id:1001,\
    phase:1,\
    pass,\
    nolog,\
    ctl:ruleRemoveTargetById=933120;ARGS:_wp_http_referer"

But as the score is now higher than the anomaly score threshold, I'm sill getting access denied for the request and I can see it in the logs:

2024/06/19 04:36:06 [error] 1071#1071: *553 [client x.x.x.x] ModSecurity: Access denied with code 403 (phase 2). Matched "Operator `Ge' with parameter `5' against variable `TX:BLOCKING_INBOUND_ANOMALY_SCORE' (Value: `5' ) [file "/etc/modsecurity.d/owasp-crs-wordpress/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "222"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [data ""] [severity "0"] [ver "OWASP_CRS/4.2.0"] [maturity "0"] [accuracy "0"] [tag "anomaly-evaluation"] [tag "OWASP_CRS"] [hostname "x.x.x.x"] [uri "/wp-admin/admin.php"] [unique_id "171878256689.980974"] [ref ""], client: x.x.x.x, server: mydomain.com, request: "POST /wp-admin/admin.php?page=wp-mail-smtp-tools&tab=test HTTP/2.0", host: "mydomain.com", referrer: "https://mydomain.com/wp-admin/admin.php?page=wp-mail-smtp-tools"

How can I remove the url from the blacklist? Is there a way to reset the anomaly score for this url requests?