Re: Giving full access / avoiding logging to acertain IP Address

Thank you Ofer,

But despite of this try, I'm still stucked with this problem.
More information:

* trusted IP 192.168.0.22
* website IP 192.168.0.100
* I placed the following line SecRule REMOTE_ADDR "^192\.168\.0\.22$"
"noauditlog,nolog,allow,phase:1" before any mod_security_crs_.conf
directive
* and restart the apache server

To test the by pass, I sent /etc/passwd as an URL parameter to trigger
the mod_security. Normally it shouldn't not react but here what it
caught:

--a1808d74-Z--

--a1808d74-A--
[14/Nov/2006:16:55:20 +0100] C6PF@n8AAAEAABXHRIoAAAAC 192.168.0.22
4201 192.168.0.100
--a1808d74-B--
GET /logs/fpfis/etc/passwd HTTP/1.1
Accept: */*
Accept-Language: fr-be
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1;
.NET CLR 1.1.4322)
Host: 192.168.0.100
Connection: Keep-Alive
Cache-Control: no-cache
Authorization: Basic ZnBmaXNhZG1pbjokRlBGSVNwYXNzMDAx

--a1808d74-F--
HTTP/1.1 500 Internal Server Error
Content-Length: 545
Connection: close
Content-Type: text/html; charset=iso-8859-1

--a1808d74-H--
Message: Access allowed (phase 1). Pattern match
"^192\\.168\\.0\\.22$" at REMOTE_ADDR.
Message: Access denied with code 500 (phase 2). Pattern match
"(?:\\b(?:.(?:ht(?:access|passwd|group)|www_?acl)|global.asa|httpd.conf|boot.ini)\\b|\\/etc\\/)"
at REQUEST_FILENAME. [id "50005"] [msg "Remote File Access Attempt"]
[severity "WARNING"]
Action: Intercepted (phase 2)
Stopwatch: 1163519720670714 35738 (15859 31451 -)
Producer: ModSecurity v2.0.3 (Apache 2.x)
Server: Apache

--a1808d74-Z--

The blocking pattern is
# file injection
SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS
"(?:\b(?:.(?:ht(?:access|passwd|group)|www_?acl)|global.asa|httpd.conf|boot.ini)\b|\/etc\/)"
\
        "deny,log,id:50005,severity:4,msg:'Remote File Access Attempt'"

in modsecurity_crs_40_generic_attacks.conf

I'd like to bypass it but no disable it for others.

Any idea ?

Thanks a lot, best regards

Alexandre

On 11/14/06, Ofer Shezaf <OferS@xxxxxxxxxx> wrote:
>
>
>
> > Jean-Francois wrote:
> >
> > Dear all,
> >
> > I'm new to mod_security 2 (installed on Apache 2.0x).
>
> Welcome!
>
> >
> > I'd like to by-pass any core rule defined by mod_security for one
> > specific IP Address, and also avoid to log information concerning
> > accesses from this IP address
> >
> > The main reason is to avoid to populate logfiles with unsuseful
> > information (the IP address is totally trusted) and give full access
> > for this super-trusted computer.
> >
> > So I created the following rule and placed into my httpd.conf:
> >
> > SecRule REMOTE_ADDR "^192\.168\.0\.22$" "noauditlog,nolog,allow"
> >
> > But when I'm trying to reach an URL containing, for instance, the
> > chain "/etc/passwd", I get an internal error, and the access is logged
> > into the audit log file.
> >
> > Is it possible to totally bypasse core rules and completely avoid logging
> > ?
>
> Bypassing core rules requires being executed before them. Two things to 
> consider in this respect are:
>
> 1. Add a phase action to the rule to ensure it happens early:
> SecRule REMOTE_ADDR "^192\.168\.0\.22$" "noauditlog,nolog,allow,phase:1"
>
> 2. Place it early. Near the top of file 
> modsecurity_crs_20_protocl_violations.conf should do fine
>
> If you want to use your own files, ensure that you include it in httpd.conf 
> before the core rule set.
>
> ~ Ofer
>
>

-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642