Re: [mod-security-users] How can I test to see if mod_security is catching/blocking attempts?
Brought to you by:
victorhora,
zimmerletw
From: Ryan B. <RBa...@tr...> - 2010-10-27 13:53:49
|
On 10/27/10 9:50 AM, "robert mena" <rob...@gm...> wrote: > I've downloaded and used the rules from OWASP > > modsecurity_35_bad_robots.data modsecurity_50_outbound.data > modsecurity_crs_48_local_exceptions.conf > modsecurity_35_scanners.data > modsecurity_50_outbound_malware.data > modsecurity_crs_49_inbound_blocking.conf > modsecurity_40_generic_attacks.data > modsecurity_crs_41_phpids_converter.conf > modsecurity_crs_50_outbound.conf > modsecurity_41_sql_injection_attacks.data > modsecurity_crs_41_phpids_filters.conf > modsecurity_crs_59_outbound_blocking.conf > modsecurity_42_comment_spam.data > modsecurity_crs_41_sql_injection_attacks.conf > modsecurity_crs_60_correlation.conf > modsecurity_46_et_sql_injection.data modsecurity_crs_41_xss_attacks.conf > > modsecurity_46_et_web_rules.data > modsecurity_crs_47_common_exceptions.conf > modsecurity_crs_20_protocol_violations.conf > modsecurity_crs_30_http_policy.conf > modsecurity_crs_42_tight_security.conf > modsecurity_crs_21_protocol_anomalies.conf > modsecurity_crs_35_bad_robots.conf modsecurity_crs_45_trojans.conf > modsecurity_crs_23_request_limits.conf > modsecurity_crs_40_generic_attacks.conf > > I've configure SecDefaultAction "phase:2,drop,log" > Have you reviewed the modsec_debug.log file? -Ryan > > On Wed, Oct 27, 2010 at 9:45 AM, Ryan Barnett <RBa...@tr...> wrote: >> On 10/27/10 9:21 AM, "robert mena" <rob...@gm...> wrote: >> >>> Hi, >>> >>> Is there a way to test with standard attack vectors to see if mod_security >>> is >>> blocking the attemps for (example), sql injection? >>> >>> I've enabled and tried with www.mysite.com/?u=1 <http://www.mysite.com/?u=1> >>> <http://www.mysite.com/?u=1> >>> OR 1=1 but no message is logged in /var/log/httpd/error-log >>> >> >> What rule set are you using? When I test your payload against our public >> OWASP Core Rule Set (CRS) Demo is triggers SQL Injection alerts - >> http://www.modsecurity.org/demo/phpids?test=1+OR+1%3D1 >> >> -Ryan |