On 8/9/11 5:46 PM, "David Sinclair" <[email protected]> wrote:
>The SecRuleEngine variable is set to DetectionOnly. I guess that makes >sense if it only detecting but wish it had been documented a bit more. Good point David. I updated the SecRuleEngine info for DetectionOnly and added a NOTE to the Reference Manual to point this out - https://sourceforge.net/apps/mediawiki/mod-security/index.php?title=Referen ce_Manual#SecRuleEngine https://sourceforge.net/apps/mediawiki/mod-security/index.php?title=Referen ce_Manual#Actions -Ryan >Thank you for the help and quick response. > >David B. Sinclair >Security Manager >Email: [email protected] >-----Original Message----- >From: Ryan Barnett [mailto:[email protected]] >Sent: Tuesday, August 09, 2011 4:41 PM >To: David Sinclair; [email protected] >Subject: Re: [Owasp-modsecurity-core-rule-set] allow:request > >What is your SecRuleEngine set to? If it is DetectionOnly then it will >not execute allow actions as they are considered disruptive. If this is >the case, then you can add "ctl:ruleEngine=On" to your rule to trigger the >allow. Remember though, that this has now enabled blocking mode for this >transaction which means that any phase 3 and 4 rules may trigger blocks. >If you don't want that, then you should add another phase:3 rule to your >custom rules file to "ctl:ruleEngine=DetectionOnly". > >-Ryan > >From: David Sinclair ><[email protected]<mailto:[email protected]>> >Date: Tue, 9 Aug 2011 16:37:12 -0500 >To: >"[email protected]<mailto:owasp-modsecurity- >[email protected]>" ><[email protected]<mailto:owasp-modsecurity- >[email protected]>> >Subject: [Owasp-modsecurity-core-rule-set] allow:request > >I am rather new to modsecurity rules and am having trouble understanding >the functionality of allow:request. From this debug logsnippet, I have >written a custom rule, modsecurity_crs_15_custom_rules.conf, that is >designed to allow the GET of a .dtd and skip the remainder of request >phase processing with allow:request. However, this log shows that the >processing of the rules in the request phases continues with crs_20 that I >am trying to avoid. Is there something that I have missed? > > Warning. Operator EQ matched 0 at TX. [file >"/etc/httpd/conf/modsecurity_crs/modsecurity_crs_10_config.conf"] [line >"309"] [id "98 > Rule returned 1. > Match -> mode NEXT_RULE. > Recipe: Invoking rule 2ad8c7cf62e0; [file >"/etc/httpd/conf/modsecurity_crs/base_rules/modsecurity_crs_15_custom_rule >s.conf"] [line > Rule 2ad8c7cf62e0: SecRule "REQUEST_METHOD" "@rx ^GET$" >"phase:1,chain,nolog,t:none,severity:6,rev:1.0.0,allow:request,msg:'Allow > Transformation completed in 1 usec. > Executing operator "rx" with param "^GET$" against REQUEST_METHOD. > Target value: "GET" > Operator completed in 2 usec. > Rule returned 1. > Match -> mode NEXT_RULE. > Recipe: Invoking rule 2ad8c7cf6ea0; [file >"/etc/httpd/conf/modsecurity_crs/base_rules/modsecurity_crs_15_custom_rule >s.conf"] [line > Rule 2ad8c7cf6ea0: SecRule "REQUEST_FILENAME" "@rx ^/dtd/.*[.]dtd$" >"t:none" > Transformation completed in 1 usec. > Executing operator "rx" with param "^/dtd/.*[.]dtd$" against >REQUEST_FILENAME. > Target value: "/dtd/BCSSRequest-v1.1.dtd" > Operator completed in 3 usec. > Warning. Pattern match "^/dtd/.*[.]dtd$" at REQUEST_FILENAME. [file >"/etc/httpd/conf/modsecurity_crs/base_rules/modsecurity_crs_15 > Rule returned 1. > Match -> mode NEXT_RULE. > Recipe: Invoking rule 2ad8c7cf9ef8; [file >"/etc/httpd/conf/modsecurity_crs/base_rules/modsecurity_crs_20_protocol_vi >olations.conf" > Rule 2ad8c7cf9ef8: SecRule "REQUEST_LINE" "!@rx >^(?:(?:[a-z]{3,10}\\s+(?:\\w{3,7}?://[\\w\\-\\./]*(?::\\d+)?)?/[^?#]*(?:\\ >?[^#\\s] > T (0) lowercase: "get /dtd/bcssrequest-v1.1.dtd http/1.0" > Transformation completed in 9 usec. > Executing operator "!rx" with param >"^(?:(?:[a-z]{3,10}\\s+(?:\\w{3,7}?://[\\w\\-\\./]*(?::\\d+)?)?/[^?#]*(?:\ >\?[^#\\s]*)?(?:#[\\S > Target value: "get /dtd/bcssrequest-v1.1.dtd http/1.0" > Operator completed in 8 usec. > Rule returned 0. > No match, not chained -> mode NEXT_RULE. > >David B. Sinclair >Security Manager >Email: [email protected]<mailto:[email protected]> > > >-------------------------------------------------------------------------- >------------- >This email is intended solely for the use of the addressee and may >contain information that is confidential, proprietary, or both. >If you receive this email in error please immediately notify the >sender and delete the email. >-------------------------------------------------------------------------- >------------- > > > >________________________________ >This transmission may contain information that is privileged, >confidential, and/or exempt from disclosure under applicable law. If you >are not the intended recipient, you are hereby notified that any >disclosure, copying, distribution, or use of the information contained >herein (including any reliance thereon) is STRICTLY PROHIBITED. If you >received this transmission in error, please immediately contact the sender >and destroy the material in its entirety, whether in electronic or hard >copy format. > >-------------------------------------------------------------------------- >------------- >This email is intended solely for the use of the addressee and may >contain information that is confidential, proprietary, or both. >If you receive this email in error please immediately notify the >sender and delete the email. >-------------------------------------------------------------------------- >------------- > > This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. _______________________________________________ Owasp-modsecurity-core-rule-set mailing list [email protected] https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
