Re: [mod-security-users] Newbie Question - ModSec + SquidGuard

[Ryan B. <Ryan.Barnett@Breach.com>]

You can also do redirects with ModSecurity instead of deny.  Just change the action settings and redirect them to your friendly blocked page.

Thanks,
Ryan C. Barnett 

----- Original Message -----
From: mod...@li... <mod...@li...>
To: mod...@li... <mod...@li...>
Sent: Sat May 03 09:26:02 2008
Subject: [mod-security-users] Newbie Question - ModSec + SquidGuard

Hello all,

Firstly let me say that, having just installed ModSecurity I am *very*
impressed with it. Thank you to all the devs for such a great product.

I am not a sysadmin, I just have a simple, largely static, website with
a few bits of dynamic content (eg a squirrelmail webmail package serving
up my family's mail from behind a AuthUserFile password protected area).

I protect my children from undesirable web content by using a squid
proxy server + squidGuard filter.

Prior to installing ModSecurity this worked just fine, redirecting to a
page informing them that the site is blocked.

Now they just get a 400 Bad Request which can be confusing.

I think that ModSecurity is blocking access to the squidGuard.cgi app
which serves up the squidGuard blocking page, but I think ModSecurity is
blocking because it's come via a numeric IP. (see extract from
debug.log)

[03/May/2008:14:09:11 +0100]
[www.mydomain.co.uk/sid#b92b64a8][rid#b97a0f80][/cgi-bin/squidGuard.cgi][1]
Access denied with code 400 (phase 2). Pattern match "^[\\d\\.]+$" at
REQUEST_HEADERS:Host. [id "960017"] [msg "Host header is a numeric IP
address"] [severity "CRITICAL"]

This causes problems because my internal network relies heavily on
numerical IP addresses.

Commenting out the above rule in
modsecurity_crs_21_protocol_anomalies.conf allows it all to work
properly again but I am not sure this is the best way to solve the
problem.

Should I create a local rule? If so how? (I might need some
hand-holding...)

Thanks in advance for any help.

Mark