mod_security with core rule set returns truncated application 500 response instead of replacing it with 404

Solution Verified - Updated -

Issue

  • We use mod_security with the OWASP core rule set. We set it to paranoia level 2 and so expect a rule like below to block any application 500 response from being sent through:
SecRule RESPONSE_STATUS "^5\d{2}$" "phase:4,rev:'2',ver:'OWASP_CRS/2.2.9',maturity:'9',accuracy:'9',t:none,capture,ctl:auditLogParts=+E,block,msg:'The application is not available',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',id:'970901',tag:'WASCTC/WASC-13',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.6',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+%{tx.error_anomaly_score},setvar:tx.%{rule.id}-AVAILABILITY/APP_NOT_AVAIL-%{matched_var_name}=%{tx.0}"
  • But in some cases, we see a truncated 500 app response comes through instead of the httpd 404 response.

Environment

  • Red Hat Enterprise Linux (RHEL)
  • Apache httpd
  • mod_security
  • OWASP core rule set

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content