This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

WAF UTM Modsecurity violation

Hi,

We are experiencing an issue with our website behind WAF on Sophos UTM.  I have been toying around with getting our site to work via Web Protection for users outside the internal network. This log entry indicates that ModSecurity, a web application firewall, has detected a possible cross-site scripting (XSS) attack.

023:04:10-13:14:27 [security2:error] [pid 1018:tid 4117486448] [client 1.1.1.1:62184] [client 1.1.1.1] ModSecurity: Warning. Pattern match "(?i:[\\"\\\\'][ ]*(([^a-z0-9~_:\\\\' ])|(in)).+?\\\\(.*?\\\\))" at ARGS:About. [file "/usr/apache/conf/waf/modsecurity_crs_xss_attacks.conf"] [line "506"] [id "973335"] [rev "2"] [msg "IE XSS Filters - Attack Detected."] [data "Matched Data: \\x22, Roboto, Arial, \\x22Droid Sans\\x22, sans-serif; color: rgb(115, 135, 156) found within ARGS:About: <h4 style=\\x22font-family: \\x22Helvetica Neue\\x22, Roboto, Arial, \\x22Droid Sans\\x22, sans-serif; color: rgb(115, 135, 156);\\x22><span style=\\x22font-weight: 700;\\x22>ELIE LOUTFI / \\xd8\\xa7</span></h4>"] [ver "OWASP_CRS/2.2.7"] [maturity "8"] [accuracy "8"] [tag "OWASP_CRS/WEB_ATTACK/XSS"] [tag "WASCTC/WASC-8"] [tag "WASCTC/WASC-22"] [tag "OWASP_TOP_10/A2"] [tag "OWASP_AppSensor/IE1"] [tag "PCI/6.5.1"] [hostname "abc.xyz.com"] [uri "/product/machine/image"] [unique_id "ZDPhg7AnwYvo53owzhOiMwAAAJc"], referer: https://abc.xyz.net//product/machine/image=4sg7V/Hba6I=


Once we add the ID 973335 under skip rule, it works.

Can we do anything about it to solve?



This thread was automatically locked due to age.
Parents Reply Children
No Data