IP.block set by a variety of rules in 910 and 913, leads to unconditional block in 949100
See original GitHub issue_Issue originally created by user dune73 on date 2016-08-12 08:28:23. Link to original issue: https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/514._
949100 block unconditionally if ip.block is set. ip.block is set by various rules in 910 and 913 regardless of scoring or blocking policy or any other setting in crs-setup.conf.
We need to discuss this blocking-on default policy for IP repudiation. And we need to describe an opt-out mechanism. At least. In fact I think we need far more documentation for this.
Personally I would prefer if we had a default repudiation-blocking=off
policy by default. People will raise their anomaly thresholds to test out the CRS and then surprisingly get arbitrary blocks on bad behaviour of individual clients. This gives a scary feeling.
Issue Analytics
- State:
- Created 3 years ago
- Comments:5
Top GitHub Comments
User dune73 commented on date 2016-09-15 12:55:42:
Here is a brief overview on the use of
IP.block
:User dune73 commented on date 2016-09-19 12:19:17:
Closing this in favor of PR #580.