Mod Security Laymans Terms

keat63

Well-Known Member
Nov 20, 2014
1,916
263
113
cPanel Access Level
Root Administrator
Does anyone know of a list of MOD Sec rules, but in Laymans terms, something that explains in Laymans terms what was going on.

For instance:

960034: HTTP protocol version is not allowed by policy.
Match of "within %{tx.allowed_http_versions}" against "REQUEST_PROTOCOL" required.

Means absolutely nothing.

And then the actual rule text, might as well be in chinese.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,908
2,216
463
Hello,

You may find the following OWASP configuration file helpful:

owasp-modsecurity-crs/modsecurity_crs_30_http_policy.conf at master · SpiderLabs/owasp-modsecurity-crs · GitHub

For instance, if you search that file for the term "HTTP protocol version is not allowed by policy", you can see additional information about the purpose of the rule in the commented lines. EX:

Code:
# Restrict protocol versions.
#
# TODO All modern browsers use HTTP version 1.1. For tight security, allow only
# this version.
#
# NOTE Automation programs, both malicious and non malicious many times use
# other HTTP versions. If you want to allow a specific automated program
# to use your site, try to create a narrower expection and not allow any
# client to send HTTP requests in a version lower than 1.1
#
SecRule REQUEST_PROTOCOL "[email protected] %{tx.allowed_http_versions}" "phase:2,t:none,block,msg:'HTTP protocol version is not allowed by policy',severity:'2',rev:'2',ver:'OWASP_CRS/2.2.9',maturity:'9',accuracy:'9',id:'960034',tag:'OWASP_CRS/POLICY/PROTOCOL_NOT_ALLOWED',tag:'WASCTC/WASC-21',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.10',logdata:'%{matched_var}',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/POLICY/PROTOCOL_NOT_ALLOWED-%{matched_var_name}=%{matched_var}"
Thank you.