I tried the following but still can not start the apache. One interesting things, if I start up the apache then I change the httpd.conf to add this rule. I can not stop the apache.

I tried this (with double quote in action list)

SecRule REQUEST_URI_RAW "http://" "log,drop,phase:1,msg:'Possible Attack'"

Then I change to this.

SecRule REQUEST_URI_RAW "http:/" "phase:1,t:none,t:urlDecode,t:lowercase,t:normalisePath"



I try this without problem, it works fine. Only the REQUEST_URI_RAW has problem.

SecRule REQUEST_HEADERS:User-Agent "^Mozilla" "log,drop,phase:1,msg:'Possible Brute Force Attack'"



For my apache, I only install the --with-unique-id, without extra modules.




On Fri, May 28, 2010 at 7:19 PM, Ryan Barnett <Ryan.Barnett@breach.com> wrote:

Try putting double quotes around your action list.


Ryan C. Barnett
Director of Application Security Research
Breach Security, Inc.
Ryan.Barnett@Breach.com
www.Breach.com


From: Ma Fai
To: mod-security-users@lists.sourceforge.net
Sent: Fri May 28 06:57:03 2010
Subject: [mod-security-users] Can not start up after add REQUEST_URI_RAW
I use the based modsecurity_crs_10_config.conf


#Httpd.conf
Include conf/modsecurity_crs/*.conf

SecRule REQUEST_URI_RAW "http:/" phase:1,t:none,t:urlDecode,t:lowercase,t:normalisePath


after I add SecRule REQUEST_URI_RAW, then the apache can not start up, halt & no response. The httpd can not start it up.

Any one has experience on it?