No these are set as phase:2 rules, Are you meaning if there are rules
set as phase:1 you cannot turn off mod sec for a particular location
within a vhost ? Or the particular rule as its set to phase:2. Ive got
through all the confs and taken note of all the id's so im able to
remove them manually for a location and in the message added the file
it comes from ie
msg:'(default/generic_attacks.conf)'
i think this is the one i was testing against
# file injection
SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS
"(?:\b(?:.(?:ht(?:access|passwd|group)|www_?acl)|global.asa|httpd.conf|boot.ini)\b|\/etc\/)"
\
"deny,auditlog,id:50005,severity:4,msg:'(default/generic_attacks.conf)
Remote File Access Attempt'"
does it need a phase:2 directive ?
Ofer Shezaf wrote:
Another
note: I still did
not read in details the e-mails you sent yesterday (I will get to
that), but vhost
is the only location selection directive that works in phase 1, so it
still
seems like an issue with phases.
~ Ofer
Ok it
seems the only rule that works for a location in vhost configs is to
turn off
rules by id, this is going to take alot of messing around with as there
is
obviouslly hundreds of rules and id's.
I am still noticing 404's being logged into the audit log which has
nothing to
do with trapping urls, i was trying to trap one of the rules but got a
404
instead doesnt seem like its running.
--0efc837a-A--
[28/Nov/2006:15:26:05 +1100] DHk6Q8CoAGcAAQ9PBRwAAAAA
--0efc837a-B--
GET /directory.php HTTP/1.0
Accept: */*
Accept-Language: en
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en)
AppleWebKit/418.9
(KHTML, like Gecko) Safari/419.3
Host:
X-Forwarded-For:
Cache-Control: max-age=259200
Connection: keep-alive
--0efc837a-F--
HTTP/1.1 404 Not Found
Content-Length: 298
Keep-Alive: timeout=15, max=98
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1
--0efc837a-H--
Apache-Error: [file
"/usr/home/danielr/php-4.4.4/sapi/apache2handler/sapi_apache2.c"]
[line 282] [level 3] script '/www/directory.php' not found or unable to
stat
Stopwatch:(579 21364 -)
Producer: ModSecurity v2.0.3 (Apache 2.x)
Server: Apache/2.0.59 (FreeBSD) PHP/4.4.4 DAV/2
hiperf_auth_mysql_module/1.0.3
--0efc837a-Z--
|
-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV_______________________________________________
mod-security-users mailing list
mod-security-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/mod-security-users
