What version of ModSecurity are you using?
Can you give some audit log examples of the type of transaction you want to
My guess here is that while you do want to
use RegEx anchors for the SCRIPT_FILENAME variable (to reduce evasions and
false positives) it is probably too restrictive and is preventing the
REQUEST_BODY variable from matching as there is probably other data present such
as the parameter names, etc…
[mailto:email@example.com] On Behalf Of SoFy DeNiro
Sent: Tuesday, May 27, 2008 9:15
I'm trying to make some files denied for any user,expect if he have 0 UID. I
tried this rule :
SecRule SCRIPT_FILENAME|REQUEST_BODY "^/home/user/important\.php$"
SecRule "SCRIPT_UID "!^0$".
then, I can't log to this file from browser and that's fine, but I can get it
from php codes, so that's mean the REQUEST_BODY didn't work..
any suggestions ?