Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Rule 920310 (CRS3) not firing if no User-Agent is submitted

See original GitHub issue

_Issue originally created by user dune73 on date 2016-06-21 09:16:41. Link to original issue: https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/370._

920310 (CRS3) is meant to alarm if there is no Accept header. There are cases where an alarm is suppressed based on the User-Agent. However, given the construction of the rule, a request without a User-Agent will never trigger 920310, which is a false negative.

Possible solutions:

2nd rule covering this special case
replace @pm with regex and check for empty header

Thoughts?

This issue evolved from a discussion in #366.

Issue Analytics

State:
Created 3 years ago
Comments:5

Top GitHub Comments

1reaction

CRS-migration-botcommented, May 13, 2020

User dune73 commented on date 2016-07-02 15:11:17:

Can’t resist such an invitation. Please consider #389 as my offering.

1reaction

CRS-migration-botcommented, May 13, 2020

User dune73 commented on date 2016-06-28 12:34:10:

csanders-git : good remark about 920320 being notice. I overlooked that.

Covering the special case at a higher PL does not seem right to me as it allows a simple evasion at PL1 to go mostly unnoticed and it tears two rules with the same goal apart within the same rule file.

I think a PL1 sibling 920311 right after 920310 is the better solution:

SecRule REQUEST_HEADERS:Accept "^$" \
  ...id:920310
     SecRule REQUEST_METHOD "!^OPTIONS$" \
       "chain"
          SecRule &REQUEST_HEADERS:User-Agent "@eq 0"
          ...

That way the problem is contained at PL1 and within the same area in the rule file.