Mod_Security false positive, how can I whitelist?

Portal Home > Knowledgebase > Articles Database > Mod_Security false positive, how can I whitelist?

Posted by gpl24, 02-18-2011, 04:07 AM
Any URL I have with the name "Union" gets an error, how can I bypass mod security for these pages, as they are legit pages? I am using the default mod security rules.
Posted by SunShellHosting, 02-18-2011, 04:46 AM
Check apache log and white list the rule.
Posted by gpl24, 02-22-2011, 11:15 PM
modsec_audit.log doesn't have any mentions of this, or how to fix it. There are plenty of other errors that got logged; but not this certain hit that I am trying to whitelist.
Posted by asciiDigital, 02-22-2011, 11:48 PM
SecRule ARGS:variablename “Union” phase:1,nolog,allow,ctl:ruleEngine=off
Posted by gpl24, 02-24-2011, 04:12 PM
Tried that fix, but it didn't work. Here is my mod_security entry from WHM:
Posted by gpl24, 02-28-2011, 06:59 AM
Am I looking in the wrong spot, perhaps?
Posted by Patrick, 02-28-2011, 10:11 AM
It's possible. I know on our servers we have two mod_security config files but only one is used. Take a look under /usr/local/apache/conf and you should see either modsec2.conf or modsecurity2.conf or both. If you wanted to whitelist a domain from using mod_security then add the following line to the configuration files before the tag at the top: SecRule SERVER_NAME "domain.com" phase:1,nolog,allow,ctl:ruleEngine=off
Posted by gpl24, 03-01-2011, 10:32 PM
Found this under /usr/local/apache/conf/modsec2.user.conf: I tried opening the included files, but the .so's were unreadable (@'s & squiggly lines), /usr/local/apache/conf/modsec2.user.conf is the same file I've been reading from WHM. I did a search for "union" in the body, but couldn't locate any rule triggering "union" Couldn't locate these files: logs/modsec_audit.log logs/modsec_debug_log I'm not sure I want to whitelist the domain (there's only 1 site on this server), but I'd like to whitelist particular URLs/pages, at least.
Posted by gpl24, 03-02-2011, 12:19 AM
Figured it out. A 3rd party security addon I use in my php scripts: By removing union I regain access to these pages. However, will mod_security still protect me if an attacker does a union probe?