Re: mod-security-users Digest, Vol 6, Issue 22

On 11/21/06, Dan Rossi <spam@xxxxxxxxxxxxxxxx> wrote:
>
> Ok another issue ive experienced now, is when we are blocking requests with
> no user agent, some things dont send user agents like php includes to other
> scripts, curl etc. How do we go about this.

I don't think there's anything you can do about it. Not having an
User-Agent is perfectly legal as far as HTTP is concerned. You could
try to allow such clients only from specific IP addresses, for
example.


> Ive also discovered rules like therule log,pass , doesnt end up using this
> action it ends up using the default action, will mod sec 2 definately be
> able to override some of the filters via virtualhost configs and allow the
> rest to passthrough ?

I am not sure what problem you are describing. Can you be more specific please?

Both ModSecurity 1.9.x and 2.x provide equal capabilities when it
comes to rule overriding. You have options to either remove all rules
and start from scratch, or remove only some rules (by their specific
ID, ID range, or keyword that appears in the message). Look up
SecRuleRemoveById and SecRuleRemoveByMsg in the manual. In both cases
you can add new rules as you are pleased.


> Im also liking to send an email to myself when a rule is triggered, how is
> it possible to send the message to a perlscript in the configs ?

You can implement that via en external script using the exec action.
In general it's not a very good idea unless you implement throttling
too, ie have a mechanism that will prevent uncontrolled sending of
thousands of emails.

-- 
Ivan Ristic

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV