When using mod_security (installed from EPEL) with apache 2 on a centos box, sometimes users are unable to send messages - im having trouble tracing the rule back, the only place i get to is 'inbound anomaly score too high'
anyone know what i should be looking for, how to trace mod_security stuff, or better yet specifically what OWA in 2003 is doing that it doesnt like?
Did you take a look at Apache error log? If you did, you will see the rule which spawned that message, something like this:
[Mon Dec 13 10:44:16 2010] [error] [client 127.0.0.1] ModSecurity: Warning. Operator GE matched 20 at TX:inbound_anomaly_score. [file "/etc/httpd/modsecurity.d/base_rules/modsecurity_crs_60_correlation.conf"] [line "35"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 20, SQLi=, XSS=): Request Missing an Accept Header"] [hostname "xx"] [uri "/index.html"] [unique_id "hKt1A38AAAEAADzVdd4AAAAH"]
I've heard from a working colleague that it's pretty hard to secure OWA with mod_security.
But you could enable the debug logging of mod_security:
SecDebugLog /usr/local/apache/logs/modsec-debug.log
SecDebugLogLevel 4
