Welcome to the LimeSurvey Community Forum

Ask the community, share ideas, and connect with other LimeSurvey users!

Has anyone dealt with Modsecurity rule 990011, user-agent issue?

jsibley
Topic Author
Offline
Senior Member

More

7 years 2 months ago #161488 by jsibley

Has anyone dealt with Modsecurity rule 990011, user-agent issue? was created by jsibley

Hi,

I'm using limer to interface with r.

There is a rule in modsecurity on the host I am using that is rejecting calls to remotecontrol unless I whitelist the IP addresses I'm using (which change).

Has anyone dealt with this particular problem? I'm assuming I need to add or modify a rule to accept certain transactions (user-agent libcurl?)

Thanks for any help with this.

The topic has been locked.

jelo
Offline
Platinum Member

More

7 years 2 months ago #161494 by jelo

Replied by jelo on topic Has anyone dealt with Modsecurity rule 990011, user-agent issue?

[quote="jsibley" post=161488 I'm assuming I need to add or modify a rule to accept certain transactions (user-agent libcurl?)
[/quote]

You should post the rule instead of the ID. The mod security IDs are not telling me what rule is triggered.
Every ruleset can use these IDs.

Most common rule set with ID 990011 seems to be the Owasp-modsecurity-core-rule-set.

Code:

SecRule REQUEST_HEADERS:User-Agent "(?:\b(?:(?:indy librar|snoop)y|microsoft url control|lynx)\b|d(?:eek:wnload demon|isco)|w(?:3mirror|get)|l(?:ibwww|wp)|p(?:avuk|erl)|cu(?:sto|rl)|big brother|autohttp|netants|eCatch)" \
"chain,log,auditlog,msg:'Request Indicates an automated program explored the site',id:'990011',severity:'5'"
SecRule REQUEST_HEADERS:User-Agent "!^apache.*perl"

Since these rulesets are very broad it is quite common to tigger a few rules when using APIs from webapplications.
LimeSurvey is no exception. You can deactivate the rule globally or restrict exception to certain paths.

The meaning of the word "stable" for users
www.limesurvey.org/forum/development/117...ord-stable-for-users

The topic has been locked.

jsibley
Topic Author
Offline
Senior Member

More

7 years 2 months ago #161535 by jsibley

Replied by jsibley on topic Has anyone dealt with Modsecurity rule 990011, user-agent issue?

Thank you so much for responding. I think that this is an issue with limer (and, I believe, with limeRick), how they send the request to remotecontrol, and the rule that is being triggered. The message in my log file is:

[Tue Dec 05 23:28:33.355207 2017] [:error] [pid 3112:tid 140125572921088] [client 73.198.211.20] ModSecurity: Access denied with code 406 (phase 2). Match of "rx ^apache.*perl" against "REQUEST_HEADERS:User-Agent" required. [file "/etc/apache2/conf.d/imh-modsec/01_base_rules.conf"] [line "74"] [id "990011"] [msg "Request Indicates an automated program explored the site"] [severity "NOTICE"] [hostname "surveystest.jsassessments.com"] [uri "/index.php/admin/remotecontrol"] [unique_id "Widj4Rfrz4MAAAwoXKgAAACJ"]

I'm new to this, but I believe that the modsecurity rule requires a parameter for User-Agent and that this isn't being supplied by the R helpers. Limer doesn't appear to be updated often, but I've raised an issue in Github, in case someone is noticing.

Thanks again.

The topic has been locked.

jelo
Offline
Platinum Member

More

7 years 2 months ago #161536 by jelo

Replied by jelo on topic Has anyone dealt with Modsecurity rule 990011, user-agent issue?

jsibley wrote: I'm new to this, but I believe that the modsecurity rule requires a parameter for User-Agent and that this isn't being supplied by the R helpers. Limer doesn't appear to be updated often, but I've raised an issue in Github, in case someone is noticing.

The path of the ruleset indicates me, that your provider seems to be InMotionHosting.
The 990011 rule is too strict for many scenarios.

www.inmotionhosting.com/support/communit...ubleshoot-the-issues

The meaning of the word "stable" for users
www.limesurvey.org/forum/development/117...ord-stable-for-users

The topic has been locked.