[Owasp-modsecurity-core-rule-set] redirect with Apache

Michael Haas michael.haas10 at gmail.com
Sun Jul 17 10:07:57 EDT 2011


Hi Josh,

it's a redirect from port 80 to 443.

    RewriteEngine On
    RewriteRule ^/(.*) https://XXX.xxx/

Michael

2011/7/17 Josh Amishav-Zlatin <jamuse at gmail.com>

> Hi Michael,
>
> How is the redirect configured in Apache?
>
> --
>  - Josh
>
> On Sun, Jul 17, 2011 at 5:23 AM, Michael Haas <michael.haas10 at gmail.com>wrote:
>
>> Hi,
>>
>> is it normal that if a redirect is configured in apache that mod_security
>> is not blocking according to it's rules? It logs the request but the Client
>> is redirected.
>>
>> GET /..%5c../ HTTP/1.1
>> Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg,
>> application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword,
>> application/x-shockwave-flash, application/security-layer,
>> application/security-capsule, application/x-ms-application,
>> application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml+xml,
>> */*
>> Accept-Language: de-at,en-us;q=0.5
>> User-Agent: Mozilla/4.0 (compatible; MSIE......)
>> Accept-Encoding: gzip, deflate
>> Host: XXX.xxxx
>> Connection: Keep-Alive
>>
>> --ac9b0025-F--
>> HTTP/1.1 302 Found
>> Location: https://XXX.xxxx/
>> Content-Length: 208
>> Keep-Alive: timeout=5, max=100
>> Connection: Keep-Alive
>> Content-Type: text/html; charset=iso-8859-1
>>
>> --ac9b0025-H--
>> Message: Pattern match
>> "(?:\x5c|(?:%(?:c(?:0%(?:9v|af)|1%1c)|2(?:5(?:2f|5c)|f)|u221[56]|1u|5c)|\/))(?:%(?:u2024|2e)|\.){2}(?:\x5c|(?:%(?:c(?:0%(?:9v|af)|1%1c)|2(?:5(?:2f|5c)|f)|u221[56]|1u|5c)|\/))"
>> at REQUEST_FILENAME. [file
>> "/test/modsecurity_crs/modsecurity_crs_15_exception.conf"] [line "19"] [id
>> "1000"] [rev "2.1.2"] [msg "Path Traversal Attack"] [severity "CRITICAL"]
>> Stopwatch: 1310867782439547 587 (- - -)
>> Producer: ModSecurity for Apache/2.5.13 (http://www.modsecurity.org/);
>> core ruleset/2.1.2.
>> Server: Apache
>>
>>
>> If i do this without redirect the Rule blocks with 403.
>>
>> Thats the Rule
>>
>> SecRule TX:PARANOID_MODE "@eq 1"
>> "chain,phase:1,rev:'2.1.2',t:none,ctl:auditLogParts=+E,block,msg:'Path
>> Traversal Attack',id:'1000',severity:'2'"
>>         SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/*
>> "(?:\x5c|(?:%(?:c(?:0%(?:9v|af)|1%1c)|2(?:5(?:2f|5c)|f)|u221[56]|1u|5c)|\/))(?:%(?:u2024|2e)|\.){2}(?:\x5c|(?:%(?:c(?:0%(?:9v|af)|1%1c)|2(?:5(?:2f|5c)|f)|u221[56]|1u|5c)|\/))"
>> \
>>
>> "t:none,t:lowercase,capture,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{
>> rule.id}-WEB_ATTACK/DIR_TRAVERSAL-%{matched_var_name}=%{matched_var}'"
>>
>> Thanks in Advance
>> Michael
>>
>>
>> _______________________________________________
>> Owasp-modsecurity-core-rule-set mailing list
>> Owasp-modsecurity-core-rule-set at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-modsecurity-core-rule-set/attachments/20110717/c2aaef31/attachment.html 


More information about the Owasp-modsecurity-core-rule-set mailing list