Text only | Text with Images

OPNsense Forum

English Forums => General Discussion => Topic started by: Wuensch-AG-Adm on February 26, 2025, 08:52:18 AM

Title: OPNWAF / Web Application Firewall Business - Rule 200004 false positive
Post by: Wuensch-AG-Adm on February 26, 2025, 08:52:18 AM
Dear Community / OPNsense Team,
actually we are trying to publish our own web application through the OPNWAF (Apache + ModeSecurity) and we have a problem the remains event with the latest version unsolved.
 There is a core rule that block our web application and we cannot upload anything bigger than 8MB with the web application.
The triggered core rule is the id 200004. We have found now that often this rule generate false positive (example https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/827), but with the OPNWAF Business we have no possibility to disable this rule (thanks, by the way, for the "disable security rules by id" combo box). We are trying to use the Business OPNsense functions (paid functions) as professional. What are our possibilities in this case?
-> We know that we can edit the conf and comment the rule, but this isn't really a professional solution and the next time that we will update our firewall, those comments will be gone.

I hope you can provide us a solution or give us a hint to avoid this kind of problems.

Thank you ahead
Regards,

Joel T.
Title: Re: OPNWAF / Web Application Firewall Business - Rule 200004 false positive
Post by: Monviech (Cedrik) on February 26, 2025, 01:15:02 PM
Can you give me the output of this command:

# cd /usr/local/etc/apache24/modsecurity-crs
# grep -r 200004

Also tell me your current OPNsense version please.
Title: Re: OPNWAF / Web Application Firewall Business - Rule 200004 false positive
Post by: Wuensch-AG-Adm on June 20, 2025, 03:41:17 PM
Hi,

there is no output.
The Version is: 25.4
-> the only output with grep is in apache24 level folder -> modsecurity.conf
"id:'200004',phase:2,t:none,log,deny,msg:'Multipart parser detected a possible unmatched boundary.'"

On GitHub and in many forums, it is pointed out that this rule triggers many false positives. Why is this rule not set up as information only by default?
https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/827
https://community.sophos.com/sophos-xg-firewall/f/discussions/136863/false-positive-which-can-t-be-skipped
https://stackoverflow.com/questions/77583424/modsecurity-multipart-boundary-false-positives

Thank you for your help.

Regards,

Joel.
Title: Re: OPNWAF / Web Application Firewall Business - Rule 200004 false positive
Post by: Monviech (Cedrik) on June 20, 2025, 04:09:00 PM
Ahh I see where this comes from.

Since an OPNWAF update I think in 25.4 the file that allows rule exclusions is static now. Which means, you can edit your own ids into it and see if it helps.

Just edit:

/usr/local/opnsense/scripts/apache/modsecurity_ruleid.json

and e.g. add at the beginning:

"200004": "200004",

You can always restore the current file either by reinstalling OPNWAF or executing the script with the same name as the file in the same folder.

Please give feedback if this fixes your issues so we can add the rules of modsecurity.conf if needed.
Text only | Text with Images