[Module:mod_security] ModSecurity: Warning. Matched "Operator `Within' with parameter

Support and Discussion
1

Hi everyone.
CyberPanel ERROR LOGS
Error Logs for main web server. Isssue kindly Reslove ?

[Module:mod_security] ModSecurity: Warning. Matched "Operator Within' with parameter GET HEAD POST OPTIONS’ against variable REQUEST_METHOD' (Value: PURGE’ ) [file “/usr/local/lsws/conf/modsec/owasp-modsecurity-crs-3.0-master/rules/REQUEST-911-METHOD-ENFORCEMENT.conf”] [line “27”] [id “911100”] [rev “”] [msg “Method is not allowed by policy”] [data “PURGE”] [severity “2”] [ver “OWASP_CRS/3.3.2”] [maturity “0”] [accuracy “0”] [tag “application-multi”] [tag “language-multi”] [tag “platform-multi”] [tag “attack-generic”] [tag “paranoia-level/1”] [tag “OWASP_CRS”] [tag “capec/1000/210/272/220/274”] [tag “PCI/12.1”] [hostname “thenews.qm.com.pk”] [uri “/this-amazing-girl-is-on-top-of-the-emerging-fashion-empire/.*”] [unique_id “1665517627”] [ref “v0,5”]

2

Hi everyone.
CyberPanel ERROR LOGS
Error Logs for main web server. Isssue kindly Reslove ?

2022-10-11 21:47:07.870472 [INFO] [90615] [127.0.0.1:45882#Thenews.qm.com.pk] [Module:mod_security]Intervention status code triggered: 403
2022-10-11 21:47:07.870485 [INFO] [90615] [127.0.0.1:45882#Thenews.qm.com.pk] [Module:mod_security]Log Message: [client 127.0.0.1] ModSecurity: Access denied with code 403 (phase 2). Matched "Operator Ge' with parameter 5’ against variable TX:ANOMALY_SCORE' (Value: 5’ ) [file “/usr/local/lsws/conf/modsec/owasp-modsecurity-crs-3.0-master/rules/REQUEST-949-BLOCKING-EVALUATION.conf”] [line “80”] [id “949110”] [rev “”] [msg “Inbound Anomaly Score Exceeded (Total Score: 5)”] [data “”] [severity “2”] [ver “OWASP_CRS/3.3.2”] [maturity “0”] [accuracy “0”] [tag “application-multi”] [tag “language-multi”] [tag “platform-multi”] [tag “attack-generic”] [hostname “thenews.qm.com.pk”] [uri “/this-amazing-girl-is-on-top-of-the-emerging-fashion-empire/.*”] [unique_id “1665517627”] [ref “”]

3

please explain more

4

Dear Sir
Sever log error showing
[Module:mod_security]Intervention status code triggered: 403
[Module:mod_security]Log Message: [client 127.0.0.1] ModSecurity: Access denied with code 403

and

[Module:mod_security] ModSecurity: Warning. Matched "Operator Within' with parameter GET HEAD POST OPTIONS’ against variable REQUEST_METHOD' (Value: PURGE’ ) [file “/usr/local/lsws/conf/modsec/owasp-modsecurity-crs-3.0-master/rules/REQUEST-911-METHOD-
???/

5

It is advisable to post all the errors as they appear in your error log for this particular issue. Also use preformatted text (CTRL+E) to format the errors for easier readability.
As seen in the second part of your posted logs you might need to disable the ModSecurity CRS Rule Group 911 Method Enforcement rule =>

 [file “/usr/local/lsws/conf/modsec/owasp-modsecurity-crs-3.0-master/rules/REQUEST-911-METHOD-
???/

here - https://yourServerIP:8090/firewall/modSecRules by adding the line SecRuleRemoveById 911100

Also read modSecurity documentation

6

[https://yourServerIP:8090/firewall/modSecRules]

after shwoing
SecRule ARGS “../” “t:normalisePathWin,id:99999,severity:4,msg:‘Drive Access’ ,log,auditlog,deny”,

7

Yes after that rule

1 Like