Hey gang, it's going on 4 months now and we are still poking at this XG to get the Modsecurity settings the way we need them.
I have a team of developers banging their heads into the desks rewriting applications to help get around this abomination of a WAF.
We already have to manually update the db to increase the SEC_REQUEST_BODY_NO_FILES_LIMIT to keep this thing from timing out on a +1mb pdf stream.
Sadly the underlying control of modsec is limited on the XG (unlike the UTM) and we have been struggling to tweak the rules to work with our environment.
One issue I have is that simply skipping an entire rule across the board when it only needs to be excluded from a single URI isn't an acceptable solution, It's more of a vulnerability.
And when we do try to define a URI with an exclusion, some genius put together 11 categories of rules but no index of what rule ID's lives in which category.
Can anyone here please tell me where ID: 95097 System Command Injection would fall in the categories? or which category RFI Attacks fall under?
We have some PDF generating servers that keep triggering SQL injection attempt and these other two rules..
IDK how to keep them from tipping over the anomaly score without manually excluding the URI's in question.
The PDF is streamed back out to the client and it's ticking off modsecurity.
If I had full control I would simply make my tweaks in the configs, but everything is locked down.. It's not that I can't get root, I just don't want to void out our contract.
With every day that goes by we are becoming less enthralled with this device.
If anyone has any insight, I appreciate the help.
Thanks. JB
This thread was automatically locked due to age.