[Owasp-modsecurity-core-rule-set] Ha: Unknown blockage
ard at 100.pfr.ru
Thu Mar 25 16:10:53 EDT 2010
> Hi -
> I'm upgrading from Core Rules 1.x to 2.0.6, and for the life of me I
> can't figure out whats blocking a bunch of requests going to images,
> css and auxilary files after I set my secdefaultaction from pass -->
> I'm running modsec 2.5.12 on httpd 2.2.14 on redhat 4 in a proxy
> situation. Below is the audit log of a failed transaction. I've
> scrubbed some cookies, IPs and such. Many of the rules that it
> matched on don't make sense - for instance two seem to reference
> content in my GET, but as you can see from the audit log - that is not
> basically, I switch from SecDefaultAction "phase:2,pass" to
> SecDefaultAction "phase:2,deny" and things blow up.
> Thanks in advance.
> SecRule "RESPONSE_BODY" "!@pmFromFile modsecurity_50_outbound.data"
It seems that a part of the bug with id "CORERULES-36" is still in place.
Just checked modsecurity_crs_50_outbound.conf and it looks like it's still
missing default action in this rule.
We've got the same behaviour with 2.0.5 rules until we've added a "pass"
default action to this rule.
So the corrected rule should look like the following:
SecRule RESPONSE_BODY "!@pmFromFile modsecurity_50_outbound.data" \
Strange though. Maybe Ryan can comment on this.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Owasp-modsecurity-core-rule-set