Hi Ryan, sorry i didn't mention it before i use this configuration to redirect from port 80 to 443. RewriteEngine On RewriteRule ^/(.*) https://XXX.xxx/ <https://xxx.xxx/>
Michael 2011/7/17 Ryan Barnett <[email protected]> > You might want to try using a mod_rewrite rule for your redirect instead as > ModSecurity rules can run before them. > > Ryan > > On Jul 16, 2011, at 10:23 PM, "Michael Haas" <[email protected] > <mailto:[email protected]>> wrote: > > Hi, > > is it normal that if a redirect is configured in apache that mod_security > is not blocking according to it's rules? It logs the request but the Client > is redirected. > > GET /..%5c../ HTTP/1.1 > Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg, > application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, > application/x-shockwave-flash, application/security-layer, > application/security-capsule, application/x-ms-application, > application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml+xml, > */* > Accept-Language: de-at,en-us;q=0.5 > User-Agent: Mozilla/4.0 (compatible; MSIE......) > Accept-Encoding: gzip, deflate > Host: XXX.xxxx > Connection: Keep-Alive > > --ac9b0025-F-- > HTTP/1.1 302 Found > Location: <https://XXX.xxxx/> https://XXX.xxxx/ > Content-Length: 208 > Keep-Alive: timeout=5, max=100 > Connection: Keep-Alive > Content-Type: text/html; charset=iso-8859-1 > > --ac9b0025-H-- > Message: Pattern match > "(?:\x5c|(?:%(?:c(?:0%(?:9v|af)|1%1c)|2(?:5(?:2f|5c)|f)|u221[56]|1u|5c)|\/))(?:%(?:u2024|2e)|\.){2}(?:\x5c|(?:%(?:c(?:0%(?:9v|af)|1%1c)|2(?:5(?:2f|5c)|f)|u221[56]|1u|5c)|\/))" > at REQUEST_FILENAME. [file > "/test/modsecurity_crs/modsecurity_crs_15_exception.conf"] [line "19"] [id > "1000"] [rev "2.1.2"] [msg "Path Traversal Attack"] [severity "CRITICAL"] > Stopwatch: 1310867782439547 587 (- - -) > Producer: ModSecurity for Apache/2.5.13 (<http://www.modsecurity.org/> > http://www.modsecurity.org/); core ruleset/2.1.2.<http://2.1.2.> > Server: Apache > > > If i do this without redirect the Rule blocks with 403. > > Thats the Rule > > SecRule TX:PARANOID_MODE "@eq 1" > "chain,phase:1,rev:'2.1.2',t:none,ctl:auditLogParts=+E,block,msg:'Path > Traversal Attack',id:'1000',severity:'2'" > SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* > "(?:\x5c|(?:%(?:c(?:0%(?:9v|af)|1%1c)|2(?:5(?:2f|5c)|f)|u221[56]|1u|5c)|\/))(?:%(?:u2024|2e)|\.){2}(?:\x5c|(?:%(?:c(?:0%(?:9v|af)|1%1c)|2(?:5(?:2f|5c)|f)|u221[56]|1u|5c)|\/))" > \ > > > "t:none,t:lowercase,capture,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{ > rule.id<http://rule.id > >}-WEB_ATTACK/DIR_TRAVERSAL-%{matched_var_name}=%{matched_var}'" > > Thanks in Advance > Michael > > _______________________________________________ > Owasp-modsecurity-core-rule-set mailing list > [email protected]<mailto: > [email protected]> > https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set > > ________________________________ > This transmission may contain information that is privileged, confidential, > and/or exempt from disclosure under applicable law. If you are not the > intended recipient, you are hereby notified that any disclosure, copying, > distribution, or use of the information contained herein (including any > reliance thereon) is STRICTLY PROHIBITED. If you received this transmission > in error, please immediately contact the sender and destroy the material in > its entirety, whether in electronic or hard copy format. >
_______________________________________________ Owasp-modsecurity-core-rule-set mailing list [email protected] https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
