mod security is blocking Mattermost

[LocalHeroPro]

Describe the bug
When I set SecRuleEngine to On and reload Apache I can't use Mattermost.
It's false positive?

Logs and dumps
[20/May/2019:08:19:22 +0000] [chat.example.com/sid#7f56afd36cc0][rid#7f56b7d210a0][/api/v4/users/iodhzwdcffyf8madecttob4jre/preferences][1] Access denied with code 403 (phase 2). Operator GE matched 5 at TX:anomaly_score. [file "/etc/modsecurity/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "91"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [severity "CRITICAL"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"]

Server spec:
Apache/2.4.29 (Ubuntu)
libapache2-mod-security2 (2.9.2-1)
OWASP ModSecurity Core Rule Set (CRS) - Branch v3.2 - Head f06e3bd.

[victorhora]

Hi @LocalHeroPro,

Yes, it's a false positive. But according to your issue description, it's probably a FP with the CRS and you probably need to tune your rules and/or create exceptions for your environment.

The CRS docs may help you, but if you still have issues I would suggest checking with the CRS community.

Thanks.