Hi, is it normal that if a redirect is configured in apache that mod_security is not blocking according to it's rules? It logs the request but the Client is redirected.
GET /..%5c../ HTTP/1.1 Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x-shockwave-flash, application/security-layer, application/security-capsule, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml+xml, */* Accept-Language: de-at,en-us;q=0.5 User-Agent: Mozilla/4.0 (compatible; MSIE......) Accept-Encoding: gzip, deflate Host: XXX.xxxx Connection: Keep-Alive --ac9b0025-F-- HTTP/1.1 302 Found Location: https://XXX.xxxx/ Content-Length: 208 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1 --ac9b0025-H-- Message: Pattern match "(?:\x5c|(?:%(?:c(?:0%(?:9v|af)|1%1c)|2(?:5(?:2f|5c)|f)|u221[56]|1u|5c)|\/))(?:%(?:u2024|2e)|\.){2}(?:\x5c|(?:%(?:c(?:0%(?:9v|af)|1%1c)|2(?:5(?:2f|5c)|f)|u221[56]|1u|5c)|\/))" at REQUEST_FILENAME. [file "/test/modsecurity_crs/modsecurity_crs_15_exception.conf"] [line "19"] [id "1000"] [rev "2.1.2"] [msg "Path Traversal Attack"] [severity "CRITICAL"] Stopwatch: 1310867782439547 587 (- - -) Producer: ModSecurity for Apache/2.5.13 (http://www.modsecurity.org/); core ruleset/2.1.2. Server: Apache If i do this without redirect the Rule blocks with 403. Thats the Rule SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:1,rev:'2.1.2',t:none,ctl:auditLogParts=+E,block,msg:'Path Traversal Attack',id:'1000',severity:'2'" SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "(?:\x5c|(?:%(?:c(?:0%(?:9v|af)|1%1c)|2(?:5(?:2f|5c)|f)|u221[56]|1u|5c)|\/))(?:%(?:u2024|2e)|\.){2}(?:\x5c|(?:%(?:c(?:0%(?:9v|af)|1%1c)|2(?:5(?:2f|5c)|f)|u221[56]|1u|5c)|\/))" \ "t:none,t:lowercase,capture,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{ rule.id}-WEB_ATTACK/DIR_TRAVERSAL-%{matched_var_name}=%{matched_var}'" Thanks in Advance Michael
_______________________________________________ Owasp-modsecurity-core-rule-set mailing list [email protected] https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
