[Owasp-modsecurity-core-rule-set] 200 HTTP code returned despite log showing 403
danieljamesscott at gmail.com
Mon Apr 8 13:40:55 UTC 2013
I'm running Apache 2.2.24 with mod_security 2.7.1 and CRS 2.2.6. I've
added a file to whitelist some urls, and to ignore some SQL injection
rules which are required for correct operation of our application.
I've noticed a strange issue with rule 960015, the accept header
check. If I access a page, such as index.html, on the site using curl
from the command line, then everything works correctly, and I receive
a 403 response because curl is not setting the accept header.
However, if I access the root of the site "/", then I see the correct
entry in the error_log (ModSecurity: Access denied with code 403
(phase 2). Operator EQ matched 0 at REQUEST_HEADERS.), but my access
log shows a 200 return code, and I receive the page back from the
server, despite not setting the request header.
To re-iterate, mod_security seems to be working correctly for all
pages except the root of the site. Is there something that I'm
missing? Why would mod_security still log a 403 error, but not
actually block the request?
More information about the Owasp-modsecurity-core-rule-set