Difference between revisions of "Reporting False Positives"
(Created page with '== '''Reporting False Positives when Running ASL''' == If ASL blocks something it shouldn't you can report a False Positive to our support team by simply clicking the "False Pos…') |
Revision as of 18:22, 25 November 2009
Reporting False Positives when Running ASL
If ASL blocks something it shouldn't you can report a False Positive to our support team by simply clicking the "False Positive" button in the GUI. If you have setup a support portal account your False Positive will be added to your account for review. If you have ASL configured to send alerts to one of the email addresses associated with your account then you will see your False Positives show up in real time in the support portal. If not, then a member of our support team will have to manually associate your reports with your account.
If you can not use the GUI to report a false positive, you can report false positives from the command line. For example, if you have an event like this in your audit_log:
[modsecurity] [client 1.2.3.4] [domain yourdomain.com] [403] [/20091115/20091115-1635/20091115-163542-rM-wwlKl8i4AACHwQ70AAAAa] [file "/etc/httpd/modsecurity.d/10_asl_rules.conf"] [line "224"] [id "340026"] [rev "49"] [msg "Atomicorp.com WAF Rules: PHP Injection attempt in URI"] [data ""] [severity "CRITICAL"] Access denied with code 403 (phase 2). Match of "beginsWith http://%{SERVER_NAME}/" against "MATCHED_VAR" required.
The fourth variable, [/20091115/20091115-1635/20091115-163542-rM-wwlKl8i4AACHwQ70AAAAa], is the unique token for the event. You can report it with this command:
asl --report-false-positive /20091115/20091115-1635/20091115-163542-rM-wwlKl8i4AACHwQ70AAAAa
Reporting False Positives when not running ASL
If you are running the
