[Owasp-modsecurity-core-rule-set] Ha: Unknown blockage
Artyom Davidov
ard at 100.pfr.ru
Thu Mar 25 16:10:53 EDT 2010
>
> Hi -
>
> I'm upgrading from Core Rules 1.x to 2.0.6, and for the life of me I
> can't figure out whats blocking a bunch of requests going to images,
> css and auxilary files after I set my secdefaultaction from pass -->
fail.
>
> I'm running modsec 2.5.12 on httpd 2.2.14 on redhat 4 in a proxy
> situation. Below is the audit log of a failed transaction. I've
> scrubbed some cookies, IPs and such. Many of the rules that it
> matched on don't make sense - for instance two seem to reference
> content in my GET, but as you can see from the audit log - that is not
true.
>
> basically, I switch from SecDefaultAction "phase:2,pass" to
> SecDefaultAction "phase:2,deny" and things blow up.
>
> Thanks in advance.
>
[...skipped...]
> SecRule "RESPONSE_BODY" "!@pmFromFile modsecurity_50_outbound.data"
> "phase:4,rev:2.0.6,t:none,capture,t:urlDecodeUni,t:htmlEntityDecode,
> nolog,skipAfter:END_OUTBOUND_CHECK"
Hmmm... Strange.
It seems that a part of the bug with id "CORERULES-36" is still in place.
Just checked modsecurity_crs_50_outbound.conf and it looks like it's still
missing default action in this rule.
We've got the same behaviour with 2.0.5 rules until we've added a "pass"
default action to this rule.
So the corrected rule should look like the following:
SecRule RESPONSE_BODY "!@pmFromFile modsecurity_50_outbound.data" \
"phase:4,rev:'2.0.6',t:none,capture,t:urlDecodeUni,t:htmlEntityDecode,pass,nolog,skipAfter:END_OUTBOUND_CHECK"
Strange though. Maybe Ryan can comment on this.
wbr
Artyom
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-modsecurity-core-rule-set/attachments/20100325/abde635e/attachment.html
More information about the Owasp-modsecurity-core-rule-set
mailing list