Re: [mod-security-users] w00tw00t rule

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

Ryan,

I upgraded to latest version and the problem is still happening.

> [Ryan Barnett] There are some HTTP compliance issues that Apache will 
> handle internally before a ModSecurity phase:1 rule can work within the 
> post-read-request hook.  In this case, the client sent a "HTTP/1.1" 
> request but didn't include a Host header.  When this happens, Apache will 
> issue the 400 Bad Request and it will immediately go to the logging phase. 
> Depending on your Apache configs (ErrorDoc settings, etc...) this may or 
> may not populate the ModSecurity WEBSERVER_ERROR_LOG variable in phase:5. 
> Did the following CRS rule not trigger? -
>
> # Log a security event when the request is rejected by apache
> #
> SecRule RESPONSE_STATUS ^400$ 
> "t:none,phase:5,chain,log,auditlog,pass,msg:'Invalid 
> request',id:'960913',severity:'2'"
> SecRule WEBSERVER_ERROR_LOG !ModSecurity "t:none"

The rule did not trigger and there is no entry in either of the audit or 
debug logs from around the time of the incident.

All that is logged is in the apache log where a 400 is returned to the 
client. From mod secs point of view 'nothing happened'.

So this does look as if apache is dealing with this first and not giving mod 
security any details about it.

Could this be due to the order of loading the mod sec module? 