Add "ctl:ruleEngine=On" to the action list for that rule. 

Ryan Barnett

Senior Lead Security Researcher, SpiderLabs

 

Trustwave | SMART SECURITY ON DEMAND

www.trustwave.com


On Jun 12, 2014, at 7:28 PM, "Jeremiah Brock" <jbrock@everettcc.edu> wrote:

Hi Everyone,

    In 2.8.0, is it possible to override SecRuleEngine DetectionOnly with Deny for specific rules?  I recall being able to do this in 2.6 and 2.7.

    I am hoping to deny bad uploads with my custom @inspectFile rule and just inspect everything else while I ease into production.

SecRule FILES_TMPNAMES "@inspectFile /etc/apache2/modsecurity.d/util/av-scanning/runav.pl" \
"phase:2,t:none,log,deny,msg:'A virus or malicious content was found in uploaded file',id:'950115',tag:'MALICIOUS_SOFTWARE/VIRUS',tag:'PCI/5.1',severity:'2',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-MALICIOUS_SOFTWARE/VIRUS-%{matched_var_name}=%{tx.0}"

Some config info :

OWASP_CRS/2.2.9

SecDefaultAction "phase:2,pass,log"

SecAction \
  "id:'900004', \
  phase:1, \
  t:none, \
  setvar:tx.anomaly_score_blocking=on, \
  nolog, \
  pass"


~Jeremy
------------------------------------------------------------------------------
HPCC Systems Open Source Big Data Platform from LexisNexis Risk Solutions
Find What Matters Most in Your Big Data with HPCC Systems
Open Source. Fast. Scalable. Simple. Ideal for Dirty Data.
Leverages Graph Analysis for Fast Processing & Easy Data Exploration
http://scanmail.trustwave.com/?c=4062&d=hrea08BkIUmGEDNrOI-8nRCFvSZsflBjTUCgAnGfhg&s=5&u=http%3a%2f%2fp%2esf%2enet%2fsfu%2fhpccsystems
_______________________________________________
mod-security-users mailing list
mod-security-users@lists.sourceforge.net
http://scanmail.trustwave.com/?c=4062&d=hrea08BkIUmGEDNrOI-8nRCFvSZsflBjTRClAXXOgA&s=5&u=https%3a%2f%2flists%2esourceforge%2enet%2flists%2flistinfo%2fmod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://scanmail.trustwave.com/?c=4062&d=hrea08BkIUmGEDNrOI-8nRCFvSZsflBjTUL3VSyahA&s=5&u=http%3a%2f%2fwww%2emodsecurity%2eorg%2fprojects%2fcommercial%2frules%2f
http://scanmail.trustwave.com/?c=4062&d=hrea08BkIUmGEDNrOI-8nRCFvSZsflBjTUPzByDO0Q&s=5&u=http%3a%2f%2fwww%2emodsecurity%2eorg%2fprojects%2fcommercial%2fsupport%2f



This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.