[Owasp-modsecurity-core-rule-set] help: Modsecurity 'ARGS' rules match 'GET' request but can't match 'POST' request

Sun, 17 Apr 2011 18:28:33 -0700 

Hi All,

I'm a jackaroo of Modsecurity, and very interested in Modsecurity Core Rule set.

I am learning about CRS now, I downloaded the modsecurity CRS and investigate 
it. 
But I found that my 'ARGS' rules only match  'GET' request but can't match 
'POST' request.

I downloaded latest rule set package and modsecurity engine, only update 
following several configuration from downloaded package.

SecDataDir /tmp
SecTmpDir /tmp
SecRuleEngine On
SecDefaultAction "phase:2,deny,log"

And I add a self rule file 'modsecurity_crs_15_customrules.conf' in 
'base_rules' directory, 
it only contain below 2 rules.

SecRule ARGS "bruce" "phase:2,deny,t:none,t:lowercase,t:urlDecode,msg:'the 
attack what ARGS contain Bruce',setvar:'tx.msg=%{rule.msg}'"
SecRule ARGS_POST "bruce" "phase:2,deny,t:none,t:lowercase,t:urlDecode,msg:'the 
attack what ARGS_POST contain Bruce',setvar:'tx.msg=%{rule.msg}'"

I tested it on web interface 'http://192.168.1.135/app.php?name=Bruce' 
(modsecurity and httpd installed on this pc, app.php in attachment, a "name" 
text input area in a form)
Browser show:
Forbidden
You don't have permission to access /app.php on this server.


--------------------------------------------------------------------------------

Apache/2.2.3 (Red Hat) Server at 172.22.14.149 Port 80
 
And the http log is:
ModSecurity: Access denied with code 403 (phase 2). Pattern match "bruce" at 
ARGS:name. [file 
"/etc/httpd/modsecurity_crs/base_rules/modsecurity_crs_15_customrules.conf"] 
[line "3"] [msg "the attack what ARGS contain Bruce"] [hostname 
"172.22.14.149"] [uri "/app.php"] [unique_id "nOrQFX8AAAEAACpHFRMAAAAC"]

But if I input "Bruce" on on web interface 'http://192.168.1.135/app.php";, and 
click button "submit", the browser redirect "next.php" successful, obviously, 
the rules are invalid when execute POST request.

Who can help me for this?


Thanks and regards,

<<attachment: app.php>>

<<attachment: next.php>>

_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
[email protected]
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set

Reply via email to