|
|
Subject: Re: secRuleRemoveById not working - msg#00135
List: apache.mod-security.user
Ofer Shezaf wrote:
>
> Rule 50107 executes in phase 1. Apache Location and LocationMatch tag
> are not evaluated yet during this phase, so you cannot use it to bypass
> this rule. Currently your base choice is to move rule 50107 to phase 2.
>
> Actually I think that in future releases of the rule set I may delay
> most rules to phase 2 for that reason until we find a way to use
> Location in phase 1.
>
> As for logs: the rule set by default output events to both Apache error
> log and ModSecurity audit log. The ModSecurity console uses the audit
> log, which is also has more details, but different SIM solutions work
> out of the box with Apache error log. I would love to hear more input on
> that.
>
> ~ Ofer
>
>
Hi thanks for the input i may move the rules i need to override to
phase2 then easy. I would prefer if everything was logged to audit log,
if you are talking about the default action, its set to log, so im
assuming apache log, i have to put explicitly auditlog for it to log to
the auditlog. My next complication is trying to get mod unique id
installed into one of the servers, mod sec doesnt seem to want to load
without it.
-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Was this page helpful?
Thread at a glance:
Previous Message by Date:
click to view message preview
Re: [solved] erratic http error code
I will have a look at it. The problem is that ModSecurity has simply
outgrown the Apache configuration system. We want to do this that are
either difficult or not possible. As a consequence we are experiencing
this "special cases".
On 11/26/06, Felix Nawroth <lists@xxxxxxxxxxxxxxxxx> wrote:
> Felix Nawroth wrote:
> >> !! SecDefaultAction log,auditlog,deny,status:400,\
> >> !! phase:2,t:lowercase,t:replaceNulls,t:compressWhitespace
> >> !!
> >> !! <Location "/spanien/guest/guest.php">
> >> !! SecRule ARGS "http"\
> >> !!
> >> "deny,log,id:66023,severity:5,msg:'Spam',exec:/etc/modsecurity/ip-blacklist.pl"
> >> !! </Location>
>
> OK, I've solved it by redefining a status:400 in the rule. I had tried
> that earlier without success, don't know what I'm doing different now.
>
> So the status set in SecDefaultAction is not inherited into a Location,
> it seems. I've also tried it with "SecRuleInheritance On", still the
> same. This isn't mentioned in the manual, perhaps Ivan could add it?
>
> Regards,
> Felix
>
> -------------------------------------------------------------------------
> Take Surveys. Earn Cash. Influence the Future of IT
> Join SourceForge.net's Techsay panel and you'll get the chance to share your
> opinions on IT & business topics through brief surveys - and earn cash
> http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
> _______________________________________________
> mod-security-users mailing list
> mod-security-users@xxxxxxxxxxxxxxxxxxxxx
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
>
--
Ivan Ristic
-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Next Message by Date:
click to view message preview
Re: secRuleRemoveById not working
Hi setting it to phase:2 works, however it still gets logged into the
auditlog ! How do i stop it from being logged even after i removed the
rule by doing this
<LocationMatch "/signup">
SecRuleRemoveById 50108
</LocationMatch>
Ofer Shezaf wrote:
Rule 50107 executes in phase 1. Apache Location and LocationMatch tag
are not evaluated yet during this phase, so you cannot use it to bypass
this rule. Currently your base choice is to move rule 50107 to phase 2.
Actually I think that in future releases of the rule set I may delay
most rules to phase 2 for that reason until we find a way to use
Location in phase 1.
As for logs: the rule set by default output events to both Apache error
log and ModSecurity audit log. The ModSecurity console uses the audit
log, which is also has more details, but different SIM solutions work
out of the box with Apache error log. I would love to hear more input on
that.
~ Ofer
-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV_______________________________________________
mod-security-users mailing list
mod-security-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Previous Message by Thread:
click to view message preview
Re: secRuleRemoveById not working
>From Dan:
> Hi im trying to pass this rule through , to ignore url encoding for
this
> script however it still gets caught in the audit log. It also seems
all
> the default rules downloaded i have to change to auditlog instead of
log
> to log to the modsec audit log rather than apache error log.
> <LocationMatch "/path/script.php">
> SecRuleRemoveById 50107
> </LocationMatch>
Rule 50107 executes in phase 1. Apache Location and LocationMatch tag
are not evaluated yet during this phase, so you cannot use it to bypass
this rule. Currently your base choice is to move rule 50107 to phase 2.
Actually I think that in future releases of the rule set I may delay
most rules to phase 2 for that reason until we find a way to use
Location in phase 1.
As for logs: the rule set by default output events to both Apache error
log and ModSecurity audit log. The ModSecurity console uses the audit
log, which is also has more details, but different SIM solutions work
out of the box with Apache error log. I would love to hear more input on
that.
~ Ofer
-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Next Message by Thread:
click to view message preview
Re: secRuleRemoveById not working
Hi setting it to phase:2 works, however it still gets logged into the
auditlog ! How do i stop it from being logged even after i removed the
rule by doing this
<LocationMatch "/signup">
SecRuleRemoveById 50108
</LocationMatch>
Ofer Shezaf wrote:
Rule 50107 executes in phase 1. Apache Location and LocationMatch tag
are not evaluated yet during this phase, so you cannot use it to bypass
this rule. Currently your base choice is to move rule 50107 to phase 2.
Actually I think that in future releases of the rule set I may delay
most rules to phase 2 for that reason until we find a way to use
Location in phase 1.
As for logs: the rule set by default output events to both Apache error
log and ModSecurity audit log. The ModSecurity console uses the audit
log, which is also has more details, but different SIM solutions work
out of the box with Apache error log. I would love to hear more input on
that.
~ Ofer
-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV_______________________________________________
mod-security-users mailing list
mod-security-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/mod-security-users
|
|