Re: secRuleRemoveById not working

Hi it seems i cannot turn off mod sec filtering for a particular location, even if i try to trigger it, its still filtering, and even though ive set everything to goto auditlog its still displaying in the apache error logs !

[Mon Nov 27 20:00:48 2006] [error] [client 202.7.166.169] ModSecurity: Access denied with code 500 (phase 2). Pattern match "(?:\\\\b(?:.(?:ht(?:access|passwd|group)|www_?acl)|global.asa|httpd.conf|boot.ini)\\\\b|\\\\/etc\\\\/)" at ARGS:s. [id "50005"] [msg "(default/generic_attacks.conf) Remote File Access Attempt"] [severity "WARNING"] [hostname ""] [uri "/admin/index.php?s=../../../etc/passwd"] [unique_id "xRKWkcCoAGcAANf2CWMAAAAB"]
192#

/admin/index.php?s=../../../etc/passwd

<VirtualHost *:80>
    DocumentRoot /www/
    ServerName domain
<Location /admin/>
SecRuleEngine Off
SecAuditEngine Off
SecRequestBodyAccess Off
SecResponseBodyAccess Off
</Location>   
</VirtualHost>

I have this just after the mod sec rules includes. Ive also been trying to intergrate the got root set of mod security rulesets, so it could be a problem however i had these commented out. Im assuming rules that have actions dont use the default action rule, which in each of the configs there seems to be one for each file how does that work ? Ive had to explicitly say auditlog for each of the actions on each rule to try and make it log to the auditlog and not apache log. Its besides the point its still filtering even though i said for it to be off for that location, and phase:2 option does nothing.

# file injection

SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS "(?:\b(?:.(?:ht(?:access|passwd|group)|www_?acl)|global.asa|httpd.conf|boot.ini)\b|\/etc\/)" \

        "deny,auditlog,phase:2,id:50005,severity:4,msg:'(default/generic_attacks.conf) Remote File Access Attempt'"

I got some real problems here i suppose, when i turned on the rules the load just went crazy, and i went mad trying to turn it off for locations and obviouslly not working.

let me know.

Ofer Shezaf wrote:

 

I assume you meant 50107 (as there is no 50108 in the core rule set). Now to further understand:

 

- Do you mean that the request was not blocked by still logged to the audit log?

- Was it logged to the Apache error log?

- Can you send the relevant audit log record? It will help us to understand where the problem is.

 

Thanks

~ Ofer

 

---

From: Dan Rossi [mailto:spam@xxxxxxxxxxxxxxxx]
Sent: Monday, November 27, 2006 12:47 AM
To: Ofer Shezaf
Cc: mod-security-users@xxxxxxxxxxxxxxxxxxxxx
Subject: Re: [mod-security-users] secRuleRemoveById not working

 

Hi setting it to phase:2 works, however it still gets logged into the auditlog ! How do i stop it from being logged even after i removed the rule by doing this

<LocationMatch "/signup">
 SecRuleRemoveById 50108
 </LocationMatch>

Ofer Shezaf wrote:

Rule 50107 executes in phase 1. Apache Location and LocationMatch tag

are not evaluated yet during this phase, so you cannot use it to bypass

this rule. Currently your base choice is to move rule 50107 to phase 2.

Actually I think that in future releases of the rule set I may delay

most rules to phase 2 for that reason until we find a way to use

Location in phase 1.

As for logs: the rule set by default output events to both Apache error

log and ModSecurity audit log. The ModSecurity console uses the audit

log, which is also has more details, but different SIM solutions work

out of the box with Apache error log. I would love to hear more input on

that.

~ Ofer

 

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV_______________________________________________
mod-security-users mailing list
mod-security-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/mod-security-users