OPNWAF / Web Application Firewall Business - Rule 200004 false positive

Wuensch-AG-Adm · February 26, 2025, 08:52:18 AM

Dear Community / OPNsense Team,
actually we are trying to publish our own web application through the OPNWAF (Apache + ModeSecurity) and we have a problem the remains event with the latest version unsolved.
There is a core rule that block our web application and we cannot upload anything bigger than 8MB with the web application.
The triggered core rule is the id 200004. We have found now that often this rule generate false positive (example https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/827), but with the OPNWAF Business we have no possibility to disable this rule (thanks, by the way, for the "disable security rules by id" combo box). We are trying to use the Business OPNsense functions (paid functions) as professional. What are our possibilities in this case?
-> We know that we can edit the conf and comment the rule, but this isn't really a professional solution and the next time that we will update our firewall, those comments will be gone.

I hope you can provide us a solution or give us a hint to avoid this kind of problems.

Thank you ahead
Regards,

Joel T.

Monviech (Cedrik) · February 26, 2025, 01:15:02 PM

Can you give me the output of this command:

# cd /usr/local/etc/apache24/modsecurity-crs
# grep -r 200004

Also tell me your current OPNsense version please.

OPNWAF / Web Application Firewall Business - Rule 200004 false positive

Wuensch-AG-Adm

February 26, 2025, 08:52:18 AM

Monviech (Cedrik)

February 26, 2025, 01:15:02 PM #1