im still going through the rules , this seems to create a false positive for pda phones

Message: Warning. Pattern match "(?:[\\+\\@\\%#\"\\']|\\|\\||\\-\\-)" at REQUEST_HEADERS:x-wap-profile-diff. [id "50905"] [msg "(default/generic_attacks.conf) SQL Injection Attack"] [severity "WARNING"]

x-wap-profile-diff: 1; <?xml version="1.0" encoding="iso-8859-1"?><rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:rdfs="http://www.w3.org/2000/01/rdf-schema#" xmlns:prf="http://www.openmobilealliance.org/tech/profiles/UAPROF/ccppschema-20021212
#"><rdf:Description rdf:ID="DeviceProfile"><prf:component><rdf:Description rdf:ID="BrowserUA"><prf:TablesCapable>No</prf:TablesCapable><prf:JavaScriptEnabled>No</prf:JavaScriptEnabled></rdf:Description></prf:component></rdf:Description></rdf:RDF>


SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer "\b(?:rel(?:(?:nam|typ)e|kind)|a(?:ttn(?:ame|um)|scii)|c(?:o(?:nver|un)t|ha?r)|s(?:hutdown|elect)|to_(?:numbe|cha)r|u(?:pdate|nion)|d(?:elete|rop)|group\b\W*\bby|having|insert|length|where)\b" \

        "chain,auditlog,id:50905,severity:4,msg:'(default/generic_attacks.conf) SQL Injection Attack'"

SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer "(?:[\+\@\%#\"\']|\|\||\-\-)"


any ideas what this is doin , i had to turn it off for a location ?




Ofer Shezaf wrote:

 

'SecFilterEngine' is a 1.9.x directive. You got it right and SecRuleEngine is the correct directive for ModSecurity 2.x. Sorry for the typo.

 

~ Ofer

 


From: mod-security-users-bounces@lists.sourceforge.net [mailto:mod-security-users-bounces@lists.sourceforge.net] On Behalf Of Dan Rossi
Sent: Monday, November 27, 2006 8:15 AM
To: Ivan Ristic
Cc: mod-security-users@lists.sourceforge.net
Subject: Re: [mod-security-users] mod-security-users Digest, Vol 6, Issue 22

 

Ivan Ristic wrote:

On 11/21/06, Dan Rossi <spam@electroteque.org> wrote:

Ivan Ristic wrote:
>
> It is documented and it works. However, "SecFilterInheritance"
> prevents the rules from being inherited from the parent context but it
> does nothing to the configuration options. The configuration settings
> are always inherited. If you want something different to happen just
> provide different configuration. So, in your case you could do
> something like:
>
> <Location /signup>
> SecFilterInheritance Off
> SecFilterForceByteRange 0 255
> </Location>
>

Ok what im saying here is, every rule set as default will have to be
overwritten as u have here, ie the ones we need to override for etc, so
mod sec cant be turned off per virtualhost for instance ?


Sure it can:

<VirtualHost whatever>
   SecFilterEngine Off
   SecAuditEngine Off
</VirtualHost>

Hi Ivan, i just put these rules  inside virtualhost for mod sec 2 and i get this

Invalid command 'SecFilterEngine', perhaps mis-spelled or defined by a module not included in the server configuration


if i do

SecRuleEngine Off
SecAuditEngine Off


its ok however for some of our zend encoded files something happens with the posts, i dont get any errors but it seems modsec is doing something even though ive turned if off in that path and redirects back to the file . I cant go into the code and look because its encoded and there is no log :\