I am rather new to modsecurity rules and am having trouble understanding the
functionality of allow:request. From this debug log snippet, I have written
a custom rule, modsecurity_crs_15_custom_rules.conf, that is designed to
allow the GET of a .dtd and skip the remainder of request phase processing
with allow:request. However, this log shows that the processing of the
rules in the request phases continues with crs_20 that I am trying to
avoid. Is there something that I have missed?
Warning. Operator EQ matched 0 at TX. [file
"/etc/httpd/conf/modsecurity_crs/modsecurity_crs_10_config.conf"] [line
"309"] [id "98
Rule returned
1.
Match -> mode
NEXT_RULE.
Recipe: Invoking rule 2ad8c7cf62e0; [file
"/etc/httpd/conf/modsecurity_crs/base_rules/modsecurity_crs_15_custom_rules.conf"]
[line
Rule 2ad8c7cf62e0: SecRule "REQUEST_METHOD" "@rx ^GET$"
"phase:1,chain,nolog,t:none,severity:6,rev:1.0.0,allow:request,msg:'Allow
Transformation completed in 1
usec.
Executing operator "rx" with param "^GET$" against
REQUEST_METHOD.
Target value:
"GET"
Operator completed in 2 usec.
Rule returned
1.
Match -> mode NEXT_RULE.
Recipe: Invoking rule 2ad8c7cf6ea0; [file
"/etc/httpd/conf/modsecurity_crs/base_rules/modsecurity_crs_15_custom_rules.conf"]
[line
Rule 2ad8c7cf6ea0: SecRule "REQUEST_FILENAME" "@rx ^/dtd/.*[.]dtd$"
"t:none"
Transformation completed in 1
usec.
Executing operator "rx" with param "^/dtd/.*[.]dtd$" against
REQUEST_FILENAME.
Target value:
"/dtd/BCSSRequest-v1.1.dtd"
Operator completed in 3 usec.
Warning. Pattern match "^/dtd/.*[.]dtd$" at REQUEST_FILENAME. [file
"/etc/httpd/conf/modsecurity_crs/base_rules/modsecurity_crs_15
Rule returned
1.
Match -> mode
NEXT_RULE.
Recipe: Invoking rule 2ad8c7cf9ef8; [file
"/etc/httpd/conf/modsecurity_crs/base_rules/modsecurity_crs_20_protocol_violations.conf"
Rule 2ad8c7cf9ef8: SecRule "REQUEST_LINE" "!@rx
^(?:(?:[a-z]{3,10}\\s+(?:\\w{3,7}?://[\\w\\-\\./]*(?::\\d+)?)?/[^?#]*(?:\\?[^#\\s]
T (0) lowercase: "get /dtd/bcssrequest-v1.1.dtd
http/1.0"
Transformation completed in 9
usec.
Executing operator "!rx" with param
"^(?:(?:[a-z]{3,10}\\s+(?:\\w{3,7}?://[\\w\\-\\./]*(?::\\d+)?)?/[^?#]*(?:\\?[^#\\s]*)?(?:#[\\S
Target value: "get /dtd/bcssrequest-v1.1.dtd
http/1.0"
Operator completed in 8
usec.
Rule returned
0.
No match, not chained -> mode
NEXT_RULE.
David B. Sinclair
Security Manager
Email: [email protected]
---------------------------------------------------------------------------------------
This email is intended solely for the use of the addressee and may
contain information that is confidential, proprietary, or both.
If you receive this email in error please immediately notify the
sender and delete the email.
---------------------------------------------------------------------------------------
_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
[email protected]
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
