Create runbook for modsec tips and fixes

[vijay-veeranki]

Background

We often get question relating to modsec which requires workarounds or guidance. We should create a runbook for frequently asked questions and solutions.

We will add to this runbook as we go.

As a first item we will add the workaround for "false positives".

More info and workaround of "false positives":

Users migrated to the new v1 modsec ingress controller, and noticed a "406" error, caused due to multiple false positive matches like "detected SQLi using libinjection."

This is a false positive as this is not reproducible in all environments.

Open issue related to it: https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/794

Users who faced this issue: https://mojdt.slack.com/archives/C57UPMZLY/p1659528717441779 https://mojdt.slack.com/archives/C57UPMZLY/p1658746844176729

Many teams use this when false positives are detected, maybe it would be nice to build a library of such common rules, thread: https://mojdt.slack.com/archives/C57UPMZLY/p1652800474948989?thread_ts=1652792483.163259&cid=C57UPMZLY

Approach

Create runbook.

Which part of the user docs does this impact

New runbook

Definition of done

• [ ] Create runbook for the workaround and future faqs

Reference

How to write good user stories