Hi,

we have a new setup of apache 2.4.7 + mod_jk + mod_security2 (2.2.8), running on Ubuntu Server 64bit 12.04.4

The intention is to make mod_security work on specific locations only and leave other traffic 
untouched (we are POSTing application encrypted/base64 encoded data on the other contexts,
which cannot be decoded by the engine and thus would match some expressions, which are not really valid).

Our setup includes some activated rules and the following directive in httpd.conf:

SecRuleEngine Off
<LocationMatch "/ws/services/.*">
SecRuleEngine DetectionOnly
</LocationMatch>
<LocationMatch "/context1/*.jsp">
SecRuleEngine DetectionOnly
</LocationMatch>


From my point of view, the general behaviour should be to switch off the RuleEngine and 

apply the rules only for the named locations. These are only jsp content and the other one XML Data for Webservices

(Apache Axis behind).


Now, we encountered a problem:

When acting on the other context, which should have no active RuleEngine by configuration, the Cookie headers

are modified by modsecurity_crs_55_application_defects.conf (Header edit after SecRule 981235/981184).

(some Java Clients do not like the HttpOnly directive).


We commented this section and everything works again as expected.

So problem solved, but I'd like to know why the rules are even processed, because we switched off

the RuleEngine for this area ....


Apache access log (including incoming and outgoing cookies):

Rule is active:

192.168.19.158 - - [07/May/2014:12:51:35 +0200] "POST /context1/application HTTP/1.1" 200 513 "-" "Java/1.6.0_45" "-" "JSESSIONID=6C965F444FCA98135F6F05FC8ABB88ED.group1; Path=/context1; HttpOnly"
192.168.19.158 - - [07/May/2014:12:51:35 +0200] "GET /context1/clientconfig.properties HTTP/1.1" 404 1039 "-" "Java/1.6.0_45" "-" "-"
192.168.19.158 - - [07/May/2014:12:51:36 +0200] "POST /context1/application HTTP/1.1" 500 2197 "-" "Java/1.6.0_45" "-" "-"
192.168.19.158 - - [07/May/2014:12:51:36 +0200] "POST /context1/application HTTP/1.1" 500 2197 "-" "Java/1.6.0_45" "-" "-"
192.168.19.158 - - [07/May/2014:12:51:36 +0200] "POST /context1/application HTTP/1.1" 500 2197 "-" "Java/1.6.0_45" "-" "-"
192.168.19.158 - - [07/May/2014:12:51:37 +0200] "POST /context1/application HTTP/1.1" 500 2197 "-" "Java/1.6.0_45" "-" "-"
192.168.19.158 - - [07/May/2014:12:51:38 +0200] "POST /context1/application HTTP/1.1" 500 2197 "-" "Java/1.6.0_45" "-" "-"
192.168.19.158 - - [07/May/2014:12:51:39 +0200] "POST /context1/application HTTP/1.1" 500 2197 "-" "Java/1.6.0_45" "-" "-"

(first request returns a cookie, appended with HttpOnly, which is not returned from a Java 1.6.x client),

Rule is not active:

192.168.19.158 - - [07/May/2014:12:57:29 +0200] "POST /context1/application HTTP/1.1" 200 513 "-" "Java/1.6.0_45" "-" "JSESSIONID=3B0FB979FEE51A19D0B1795CCFBE9C16.group1; Path=/context1"
192.168.19.158 - - [07/May/2014:12:57:30 +0200] "GET /context1/clientconfig.properties HTTP/1.1" 404 1039 "-" "Java/1.6.0_45" "JSESSIONID=3B0FB979FEE51A19D0B1795CCFBE9C16.group1" "-"
192.168.19.158 - - [07/May/2014:12:57:30 +0200] "POST /context1/application HTTP/1.1" 200 16 "-" "Java/1.6.0_45" "JSESSIONID=3B0FB979FEE51A19D0B1795CCFBE9C16.group1" "-"
192.168.19.158 - - [07/May/2014:12:57:30 +0200] "POST /context1/application HTTP/1.1" 200 16 "-" "Java/1.6.0_45" "JSESSIONID=3B0FB979FEE51A19D0B1795CCFBE9C16.group1" "-"
192.168.19.158 - - [07/May/2014:12:57:30 +0200] "POST /context1/application HTTP/1.1" 200 64 "-" "Java/1.6.0_45" "JSESSIONID=3B0FB979FEE51A19D0B1795CCFBE9C16.group1" "-"
192.168.19.158 - - [07/May/2014:12:57:30 +0200] "POST /context1/application HTTP/1.1" 200 16 "-" "Java/1.6.0_45" "JSESSIONID=3B0FB979FEE51A19D0B1795CCFBE9C16.group1" "-"


Debug log from modsecurity says:

[07/May/2014:12:51:35 +0200] [192.168.19.220/sid#962f88][rid#18a2530][/context1/application][4] Initialising transaction (txid U2oQN8CoE9wAABjn3pkAAAGy).
[07/May/2014:12:51:35 +0200] [192.168.19.220/sid#962f88][rid#18a2530][/context1/application][4] Transaction context created (dcfg 978d38).
[07/May/2014:12:51:35 +0200] [192.168.19.220/sid#962f88][rid#18a2530][/context1/application][4] Processing disabled, skipping (hook request_early).
[07/May/2014:12:51:35 +0200] [192.168.19.220/sid#962f88][rid#18a2530][/context1/application][4] Processing disabled, skipping (hook request_late).
[07/May/2014:12:51:35 +0200] [192.168.19.220/sid#962f88][rid#18a2530][/context1/application][4] Hook insert_filter: Processing disabled, skipping.
[07/May/2014:12:51:35 +0200] [192.168.19.220/sid#962f88][rid#18a2530][/context1/application][4] Initialising logging.
[07/May/2014:12:51:35 +0200] [192.168.19.220/sid#962f88][rid#18a2530][/context1/application][4] Starting phase LOGGING.
[07/May/2014:12:51:35 +0200] [192.168.19.220/sid#962f88][rid#18a2530][/context1/application][9] This phase consists of 81 rule(s).
[07/May/2014:12:51:35 +0200] [192.168.19.220/sid#962f88][rid#18a2530][/context1/application][4] Recording persistent data took 0 microseconds.
[07/May/2014:12:51:35 +0200] [192.168.19.220/sid#962f88][rid#18a2530][/context1/application][4] Audit log: Ignoring a non-relevant request.


// now with commented rules

[07/May/2014:12:57:29 +0200] [192.168.19.220/sid#1eaef88][rid#2dc2430][/context1/application][4] Initialising transaction (txid U2oRmcCoE9wAAB8TAK8AAALl).
[07/May/2014:12:57:29 +0200] [192.168.19.220/sid#1eaef88][rid#2dc2430][/context1/application][4] Transaction context created (dcfg 1ec4d38).
[07/May/2014:12:57:29 +0200] [192.168.19.220/sid#1eaef88][rid#2dc2430][/context1/application][4] Processing disabled, skipping (hook request_early).
[07/May/2014:12:57:29 +0200] [192.168.19.220/sid#1eaef88][rid#2dc2430][/context1/application][4] Processing disabled, skipping (hook request_late).
[07/May/2014:12:57:29 +0200] [192.168.19.220/sid#1eaef88][rid#2dc2430][/context1/application][4] Hook insert_filter: Processing disabled, skipping.
[07/May/2014:12:57:30 +0200] [192.168.19.220/sid#1eaef88][rid#2dc2430][/context1/application][4] Initialising logging.
[07/May/2014:12:57:30 +0200] [192.168.19.220/sid#1eaef88][rid#2dc2430][/context1/application][4] Starting phase LOGGING.
[07/May/2014:12:57:30 +0200] [192.168.19.220/sid#1eaef88][rid#2dc2430][/context1/application][9] This phase consists of 78 rule(s).
[07/May/2014:12:57:30 +0200] [192.168.19.220/sid#1eaef88][rid#2dc2430][/context1/application][4] Recording persistent data took 0 microseconds.
[07/May/2014:12:57:30 +0200] [192.168.19.220/sid#1eaef88][rid#2dc2430][/context1/application][4] Audit log: Ignoring a non-relevant request.


So why are the rules processed and the Header edit directive is executed even if the engine should be off.

When detectionOnly is active, I would not expect the engine to modify the responses, which also takes place in other rules

( we encountered a problem that out XML data was appended with HTML code in some cases and had to deactivate the rule).


Maybe somebody can throw some light on this .


Thank you in advance for your opinion,

Marcus Haarmann