Ivan Ristic <ivanr@...> wrote:
> Ulf Stegemann wrote:
>> Apache 1.3.29, mod_security 1.7.3
>> When using chain-ed filter rules it seems that mod_security prints only the
>> pattern from the last filter rule of the chain in mod_security-message (with
>> "SecAuditEngine RelevantOnly" that is).
> Yes. When a set of rules is chained, only the last rule is treated
> as an "action" rule. Perhaps I can relax that a bit to allow rule
> supplied actions to be executed but not the default action. So you
> would still be able to do something, but the rule execution would
To allow some "action" after a match in a chain while still continuing the
chain would be a nice feature indeed.
>> So my question is: what's the best way to circumvent such a behaviour?
>> Of course, adding a comment to filter rules that will be printed to the log
>> file might come in handy, anyway. Think of references and the like.
> I will introduce new features in that area in 1.9. I haven't decided
> yet, but I was thinking of adding several new actions to define a
> unique attack id (so you can have several rules/matches for the same
> thing), a message action (to log custom messages), a severity
> action, etc.
> I believe this would solve your problem, would it?
> (BTW, 1.9 will be out by the end of the year)
Yes, it would. I think all the new actions you mentioned would be great
improvements to mod_security. I'm looking forward to the new release :) Thank
you for your effort.
zeitform Internet Dienste Fraunhoferstr. 5
64283 Darmstadt, Germany
http://www.zeitform.de Tel: +49 (0)6151 155-636
mailto:stegemann@... Fax: +49 (0)6151 155-634
GnuPG/PGP Key-ID: 0x8862250A