Re: secRuleRemoveById not working

Hi apologies it seems to be ok for now, however all 404 errors are being trapped in this log also, i was hoping to be able to execute a mailer script action so hopefully all 404's are not being triggered in mod sec ?

and i dont understand what this is linking to the source file for some reason ?

Apache-Error: [file "/usr/home/danielr/php-4.4.4/sapi/apache2handler/sapi_apache2.c"]



--e9564c03-H--
Apache-Error: [file "/usr/home/danielr/php-4.4.4/sapi/apache2handler/sapi_apache2.c"] [line 282] [level 3] script '/usr/local/www/data/signup/post_signup5.php' not found or unable to stat
Stopwatch: 1164588053862349 525337 (13451 524435 -)
Producer: ModSecurity v2.0.3 (Apache 2.x)
Server: Apache/2.0.59 (FreeBSD) PHP/4.4.4 DAV/2 hiperf_auth_mysql_module/1.0.3

--e9564c03-Z--

--e9564c03-A--

GET /signup/post_signup5.php HTTP/1.0
Accept: */*
Accept-Language: en
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en) AppleWebKit/418.9 (KHTML, like Gecko) Safari/419.3

X-Forwarded-For: 60.241.190.74
Cache-Control: max-age=259200
Connection: keep-alive

--e9564c03-F--
HTTP/1.1 404 Not Found
Content-Length: 308
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1

--e9564c03-H--
Apache-Error: [file "/usr/home/danielr/php-4.4.4/sapi/apache2handler/sapi_apache2.c"] [line 282] [level 3] script '/usr/local/www/data/signup/post_signup5.php' not found or unable to stat
Stopwatch: 1164588104661146 64266 (13860 63354 -)
Producer: ModSecurity v2.0.3 (Apache 2.x)
Server: Apache/2.0.59 (FreeBSD) PHP/4.4.4 DAV/2 hiperf_auth_mysql_module/1.0.3

--e9564c03-Z--

--1633cb5c-A--

--1633cb5c-B--
GET /signup/post_signup5.php HTTP/1.0
Accept: */*
Accept-Language: en
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en) AppleWebKit/418.9 (KHTML, like Gecko) Safari/419.3
Host:

X-Forwarded-For: 60.241.190.74
Cache-Control: max-age=259200
Connection: keep-alive

--1633cb5c-F--
HTTP/1.1 404 Not Found
Content-Length: 308
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1

--1633cb5c-H--
Apache-Error: [file "/usr/home/danielr/php-4.4.4/sapi/apache2handler/sapi_apache2.c"] [line 282] [level 3] script '/usr/local/www/data/signup/post_signup5.php' not found or unable to stat
Stopwatch: 1164588323396545 63579 (13574 62705 -)
Producer: ModSecurity v2.0.3 (Apache 2.x)
Server: Apache/2.0.59 (FreeBSD) PHP/4.4.4 DAV/2 hiperf_auth_mysql_module/1.0.3

--1633cb5c-Z--

--8dc87605-A--

--8dc87605-B--
GET /favicon.ico HTTP/1.0
Accept: */*
Accept-Language: en
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en) AppleWebKit/418.9 (KHTML, like Gecko) Safari/419.3
If-Modified-Since: Mon, 27 Nov 2006 00:38:59 GMT
Host:

X-Forwarded-For: 60.241.190.74
Cache-Control: max-age=259200
Connection: keep-alive

--8dc87605-F--
HTTP/1.1 404 Not Found
Content-Length: 296
Keep-Alive: timeout=15, max=99
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1

--8dc87605-H--
Apache-Error: [file "core.c"] [line 3543] [level 3] File does not exist: /usr/local/www/data/favicon.ico
Stopwatch: 1164588323615158 50310 (2224 49994 -)
Producer: ModSecurity v2.0.3 (Apache 2.x)
Server: Apache/2.0.59 (FreeBSD) PHP/4.4.4 DAV/2 hiperf_auth_mysql_module/1.0.3

--8dc87605-Z--



Ofer Shezaf wrote:

 

I assume you meant 50107 (as there is no 50108 in the core rule set). Now to further understand:

 

- Do you mean that the request was not blocked by still logged to the audit log?

- Was it logged to the Apache error log?

- Can you send the relevant audit log record? It will help us to understand where the problem is.

 

Thanks

~ Ofer

 

---

From: Dan Rossi [mailto:spam@xxxxxxxxxxxxxxxx]
Sent: Monday, November 27, 2006 12:47 AM
To: Ofer Shezaf
Cc: mod-security-users@xxxxxxxxxxxxxxxxxxxxx
Subject: Re: [mod-security-users] secRuleRemoveById not working

 

Hi setting it to phase:2 works, however it still gets logged into the auditlog ! How do i stop it from being logged even after i removed the rule by doing this

<LocationMatch "/signup">
 SecRuleRemoveById 50108
 </LocationMatch>

Ofer Shezaf wrote:

Rule 50107 executes in phase 1. Apache Location and LocationMatch tag

are not evaluated yet during this phase, so you cannot use it to bypass

this rule. Currently your base choice is to move rule 50107 to phase 2.

Actually I think that in future releases of the rule set I may delay

most rules to phase 2 for that reason until we find a way to use

Location in phase 1.

As for logs: the rule set by default output events to both Apache error

log and ModSecurity audit log. The ModSecurity console uses the audit

log, which is also has more details, but different SIM solutions work

out of the box with Apache error log. I would love to hear more input on

that.

~ Ofer

 

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV_______________________________________________
mod-security-users mailing list
mod-security-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/mod-security-users