Re: erratic http error code

Achim Hoffmann schrieb:
> !! SecDefaultAction log,auditlog,deny,status:400,\
> !! phase:2,t:lowercase,t:replaceNulls,t:compressWhitespace
> !!
> !! <Location "/spanien/guest/guest.php">
> !! SecRule ARGS "http"\
> !! 
> "deny,log,id:66023,severity:5,msg:'Spam',exec:/etc/modsecurity/ip-blacklist.pl"
> !! </Location>
> 
> are you aware that rules inside directives (location, directory, virtualhost)
> are read and performed after phase 1?
> So the question is, if there is a rule that matches before, probably in
> phase 1
> 
> Achim

Well, no, I did not know that fact. But if you look at the log I posted,
you'll see that the exact rule id (66023) is given. And there's no way
this could happen if another rule would trigger, right?

But still, you've got a point: I don't know what exactly the "phase:2"
in my SecDefaultAction does...

Regards,
Felix


ps: Achim, Sorry for the doubled email, my mistake

Here's the related part of my audit.log:


--773a4c26-A--
[24/Nov/2006:13:37:42 +0100] czLZNH8AAAEAAFH@BRoAAAAE <CLIENTIP> 5850
<HOSTIP> 80
--773a4c26-B--
POST /spanien/guest/guest.php HTTP/1.1
Host: <HOSTNAME>
User-Agent: Mozilla/5.0 (X11; U; Linux i686; de; rv:1.8.1)
Gecko/20061023 SUSE/2.0-32.1 Firefox/2.0
Accept:
text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: http://<HOSTNAME>/spanien/guest/submit.html
Content-Type: application/x-www-form-urlencoded
Content-Length: 171

--773a4c26-C--
name=felix&email=&icq=&homepage=http%3A%2F%2Fspammer.de&text=Felix+testet+mal+wieder+den+Spamfilter%2C+nicht+wundern....%0D%0A%0D%0Ahttp%3A%2F%2Fspammer.de&entry=Eintragen
--773a4c26-F--
HTTP/1.1 403 Forbidden
Content-Length: 284
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1

--773a4c26-H--
Message: Access denied with code 403 (phase 2). Pattern match "http" at
ARGS:homepage. [id "66023"] [msg "Spam"] [severity "NOTICE"]
Action: Intercepted (phase 2)
Stopwatch: 1164371861625140 618120 (63805* 617405 -)
Producer: ModSecurity v2.0.4 (Apache 2.x)
Server: Apache

--773a4c26-Z--


-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV