Mod_Security False Positive Reporting System
"Brian" from cPanel has indicated that they are currently working on a system that will report a false positive mod_security rule from within the 'ModSecurity Tools' section of cPanel:
I propose that, if possible, the new 'Report' system works as follows;
- 1. User reports rule as a false positive, providing more information as to the circumstances that can be duplicated to test and generate the false positive.
- 2. The specific mod_security rule will be automatically disabled globally on the server, due to the false positive report.
- 3. Once a new ruleset update is detected, consider scanning for the "rev" of the particular rule to determine if it has been updated since last run. If it has, re-enable the rule globally so that the additional protection can be activated.
- 4. If the rule continues to cause a problem, it can be 'Reported' again and more information provided in order to refine the rule further.
My primary "request" here is that the rule is automatically disabled and then re-enabled once a rule update is detected. The assumption is that the rule will be updated once the false positive has been identified and fixed, so the new update should correct the problem. At the very worst, if the rule is still broken, the report system will disable the rule again until next update, and so on...Permanently disabling rules on a server works to prevent the false positives, but it can (and will) reduce overall server security, almost rendering the use of mod_security pointless.