Http3 False Positives #4098
Description
Description
I've enabled Http3 since it's supported in nginx and coreruleset now but I do get several false positives for requests that are technically already excluded
Logs
2025/04/14 12:27:04 [error] 1110#1110: *1147 [client 192.168.1.101] ModSecurity: Access denied with code 418 (phase 2). Matched "Operator `Ge' with parameter `5' against variable `TX:BLOCKING_INBOUND_ANOMALY_SCORE' (Value: `18' ) [file "/etc/nginx/modsec/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "222"] [id "949110"] [rev ""] [msg ""] [data ""] [severity "0"] [ver "OWASP_CRS/4.13.0"] [maturity "0"] [accuracy "0"] [tag "anomaly-evaluation"] [tag "OWASP_CRS"] [hostname "192.168.3.120"] [uri "/api/graphql"] [unique_id "174463362426.142133"] [ref ""], client: 192.168.1.101, server: dev.example.com, request: "POST /api/graphql HTTP/3.0", referrer: "https://dev.example.com/image/proxy"
2025/04/14 12:27:18 [error] 1110#1110: *1177 [client 192.168.1.101] ModSecurity: Access denied with code 418 (phase 2). Matched "Operator `Ge' with parameter `5' against variable `TX:BLOCKING_INBOUND_ANOMALY_SCORE' (Value: `8' ) [file "/etc/nginx/modsec/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "222"] [id "949110"] [rev ""] [msg ""] [data ""] [severity "0"] [ver "OWASP_CRS/4.13.0"] [maturity "0"] [accuracy "0"] [tag "anomaly-evaluation"] [tag "OWASP_CRS"] [hostname "192.168.3.120"] [uri "/ocs/v2.php/apps/user_status/api/v1/heartbeat"] [unique_id "174463363852.780358"] [ref ""], client: 192.168.1.101, server: cloud.example.com, request: "PUT /ocs/v2.php/apps/user_status/api/v1/heartbeat?format=json HTTP/3.0", referrer: "https://cloud.example.com/index.php/apps/tasks/calendars/test/tasks/339024246520119923.ics"
I have rules like this which work perfectly fine for Http1 & Http2 to bypass the false positive
SecRule SERVER_NAME "dev.example.com" "id:102,phase:2,t:none,nolog,pass,ctl:ruleRemoveById=949110,chain"
SecRule REQUEST_FILENAME "/api/graphql"
SecRule SERVER_NAME "cloud.example.com" "id:608,phase:2,t:none,nolog,pass,ctl:ruleRemoveById=949110,chain"
SecRule REQUEST_FILENAME "/ocs/v2.php/apps/user_status/api/v1/heartbeat"
No matter what I do Http3 always fails, even changing the phase, rule id, etc.
Your Environment
- CRS version (e.g., v3.3.4): v4.13.0
- Paranoia level setting (e.g. PL1) : PL1
- ModSecurity version (e.g., 2.9.6): 3.0.14
- Web Server and version or cloud provider / CDN (e.g., Apache httpd 2.4.54): Nginx 1.26.3
- Operating System and version: Debian 12
Confirmation
[x] I have removed any personal data (email addresses, IP addresses,
passwords, domain names) from any logs posted.