I have installed ModSecurity on a XUbuntu 22.04 virtual machine running ERDDAP and ncWMS dockers for data distribution.
I installed ModSecurity via apt install libapache2-mod-security2 and then I enabled it via a2enmod security2.
I then installed OWASP Core Rule Set v3.3.0.
While running ERDDAP I noticed that the queries for requesting data were blocked if containing ( or ) characters.
How can I set a rule for allowing queries with ( and ) characters?
OWASP CRS Dev on Duty here. The first step would be indeed to analyze the logs, looking for the rules that matched your requests. These can be found in the
Error logs, searching for entries containing theModSecurity: Warning.marker. It states that a rule has been triggered, alongside details like the rule ID and the payload that led to this match. Here is an example:Afterward, based on this knowledge, you can write an exclusion rule in order to tune away the unwanted match while minimizing the impact on the security posture (It is not advisable to just disable entirely the rule, but rather disabling it for specific paths or not processing only specific variables).
You can read more about writing exclusions rules and dealing with false positives here: https://coreruleset.org/docs/concepts/false_positives_tuning/
I would also suggest you the following Apache / ModSecurity series of tutorials that walk through ModSecurity and CRS installation up to handling false positives: https://www.netnea.com/cms/apache-tutorials/