I have been using modsec 1 for several years and am using modsec 2 on a new server. While switching over  I have found some very odd behavior....

Example: To block an empty user agent the regex should be ^$  -- my rule is:

SecRule REQUEST_HEADERS:User-Agent "^$" \
"t:none,log,deny,status:411,t:compressWhiteSpace, t:replaceNulls, msg:'null UA'"

* The rule is as close to the beginning of the ruleset as possible
* If I make the rule phase1 it gets skipped all together in the debug output.

Default rule is:
SecDefaultAction "phase:2,deny,log,status:406,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase"

Trying a simple script against this server (file_get_contents + setting a blank UA) I get this in the logs:

IP-ADDRESS - - [22/Aug/2009:17:14:24 -0500] "GET /tools/modsectest9x.php HTTP/1.0" 200 60 "-" "-"

So a blank referer and blank UA - and yet modsec lets the connection sail thru, plus if I debug modsec (level 9) I can see the rule being eval'd and ignored. (output below is trimmed of the dat/ip/rid)

 [4] Recipe: Invoking rule 95510e8; [file "/usr/local/apache/conf/modsec2.user.conf"] [line "33"].
 [5] Rule 95510e8: SecRule "REQUEST_HEADERS:User-Agent" "@rx ^$" "phase:2,status:411,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:none,log,deny,t:compressWhiteSpace,t:replaceNulls,msg:'null UA'"
 [4] Rule returned 0.
 [9] No match, not chained -> mode NEXT_RULE.

I have ensured my IP is not whitelisted and run the script from several locations just in case
I have tried every variation of regex I can think of and then some but still nothing
I have tried every variation of the rule but no joy

* Linux s 2.6.18-128.1.10.el5PAE #1 SMP Thu May 7 11:14:31 EDT 2009 i686 i686 i386 GNU/Linux
* Apache 2.2.11
* webserver bult by theplanet for hostgator
* Modsec 2.5.9

On top of this, modsec will not catch ARGS | ARGS_POST which I use to trap comment spam keywords, or obey nolog!  :(

I am seriously thinking of downgrading to apache 1.3 and modsec 1.9x so I can just move on and get some work done!

Any suggestions or ideas of where to look?


Note: This email is CONFIDENTIAL and contains information intended only for the party to whom it is addressed. No reproduction of this email may be made without the written consent of the original sender.