Ryan Barnett wrote:
> Tomas - Welcome to my world :) I have been using Apache/Mod_Security as
> a reverse proxy for Microsoft's Outlook Web Access and have run this
> same issue. We you are dealing with webmail apps, it gets infinitely
> more difficult to fine tune your filters. This is due in most part from
> the concept of mixing HTTP and SMTP. We just have no way to forecast
> "expcected behavior" for what people will write in the body of their
> With that being said, you can try some of the following -
> 1) Turn off PostPayload scanning.
> This would certainly stop these errors, but then you would also not be
> monitoring a key area where attackers target.
> 2) Use SecFilterSelective instead of SecFilter
> SecFilter is too broad. SecFilterSelective will allow you to focus your
> search to specific request locations. The best locations to look for
> attacks (exluding the post payload) are THE_REQUEST, QUERY_STRING or
> choose some specific headers such as COOKIE_VAULES. So, an updated
> filter would look like this -
> SecFilterSelective "THE_REQUEST|COOKIE_VALUES" "/bin/chmod"
because COOKIE_VALUES would only look in a cookie named "values".
COOKIES_VALUES (with an "S") examines all cookies present in a
Apache Security (O'Reilly) - http://www.apachesecurity.net
Open source web application firewall - http://www.modsecurity.org