-
Notifications
You must be signed in to change notification settings - Fork 475
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[AppSec] - SecLang rule behaving different in 1.6.4 #3350
Comments
@victoredvardsson: Thanks for opening an issue, it is currently awaiting triage. In the meantime, you can:
DetailsI am a bot created to help the crowdsecurity developers manage community feedback and contributions. You can check out my manifest file to understand my behavior and what I can do. If you want to use this for your project, you can check out the BirthdayResearch/oss-governance-bot repository. |
We ended up rolling back to 1.6.3 since we got a lot of reports from customers. Can try to post some more examples later if needed. |
Hello, Thanks for the report. I'm a bit confused: you say the rule is triggering a false positive, but according to your example requests, the rule does not match (you get a 404) ? |
Hello, bad example from me. I will try to get a better one. But anyways after revert to 1.6.3 everything is working as expected for our customers again. |
Here is another rule that also should not react to this request. Since it does not contain /demo.php
|
Hello, Thanks for the update ! I see what is the bug and what is the root cause (our deduplication of rules that we added in 1.6.4). We are looking for a proper fix and will keep you posted (1.6.5 most likely). For now it's safer to stick to 1.6.3 if you're using such native mod_sec rules. Sorry for the inconvenience :) |
Hello! Ok thanks for the quick reply, then we will hold off until that is fixed 👍 |
After investigation, the issue is the following:
What went wrong:
The fix:
|
What happened?
One rule that worked prior in 1.6.3 suddenly started to produce false positives. Especially when working with elementor plugin in wordpress.
This is the request (copied from elasticsearch), and it should not match since the url does not contain any of the specified phrases in SecRule REQUEST_URI
The text was updated successfully, but these errors were encountered: