[mod-security-users] Simple question - how do I allow download of exe?

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

All,

So I have mod security setup and protecting the application. All working
well. Now the client wants to host a .exe that will be used by support
personal to help people when they hit issues. So I thought I could just add
the following to httpd.conf and all would be well

    <LocationMatch /support/TeamViewerQS.exe>
        SecRuleEngine Off
    </LocationMatch>

However mod_security still fires and blocks the access.

Mod security 2.5.13 core rule-set 2.1.1

How can I allow download of this single file? I haven't seen anyone else
post logs so not sure if its the right thing to do - I've sanitized it so
guess it should be ok

Thanks

Chris

--29000000-A-- [03/May/2011:16:01:06 +0100]
TcAYsk1ERPAAAAF4BgQAAAA@<src.ip> 34965 <dest.ip> 443

--29000000-B-- GET /support/TeamViewerQS.exe HTTP/1.1
Host: <source host>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101
Firefox/4.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 115 DNT: 1
Connection: keep-alive
Cookie: JSESSIONID=B1061173B34C165AC249A64ED8D1D631
Pragma: no-cache
Cache-Control: no-cache

--29000000-F-- HTTP/1.1 403 Forbidden
Content-Length: 226 Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1

--29000000-H--
Apache-Error: [file
"C:\\local0\\asf\\release\\build-2.2.17\\modules\\aaa\\mod_authz_host.c"]
[line 311] [level 3] client denied by server configuration:
D:/apps/Apache2.2/htdocs/venus/support/TeamViewerQS.exe\r
Stopwatch: 1304434866559600 0 (- - -)
Producer: ModSecurity for Apache/2.5.13 (http://www.modsecurity.org/); core
ruleset/2.1.1.
Server: Apache WebApp-Info: "QNS" "-" "-"

--29000000-K--
SecAction
"auditlog,status:412,phase:1,t:none,nolog,pass,setvar:tx.critical_anomaly_score=5,setvar:tx.error_anomaly_score=4,setvar:tx.warning_anomaly_score=3,setvar:tx.notice_anomaly_score=2"

SecAction
"auditlog,status:412,phase:1,t:none,nolog,pass,setvar:tx.inbound_anomaly_score_level=5"

SecAction
"auditlog,status:412,phase:1,t:none,nolog,pass,setvar:tx.outbound_anomaly_score_level=4"

SecAction
"auditlog,status:412,phase:1,t:none,nolog,pass,setvar:tx.paranoid_mode=0"
SecAction
"auditlog,status:412,phase:1,t:none,nolog,pass,setvar:tx.max_num_args=255"
SecAction
"auditlog,status:412,phase:1,t:none,nolog,pass,setvar:'tx.allowed_methods=GET
HEAD POST
OPTIONS',setvar:'tx.allowed_request_content_type=application/x-www-form-urlencoded
multipart/form-data text/xml application/xml application/x-amf
text/x-gwt-rpc',setvar:'tx.allowed_http_versions=HTTP/0.9 HTTP/1.0
HTTP/1.1',setvar:'tx.restricted_extensions=.asa/ .asax/ .ascx/ .axd/
.backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/
.csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/
.inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/
.printer/ .pwd/ .resources/ .resx/ .sql/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/
.webinfo/ .xsd/ .xsx/',setvar:'tx.restricted_headers=/Proxy-Connection/
/Lock-Token/ /Content-Range/ /Translate/ /via/ /if/'" SecRule
"REQUEST_HEADERS:User-Agent" "@rx ^(.*)$"
"auditlog,status:412,phase:1,t:none,pass,nolog,t:sha1,t:hexEncode,setvar:tx.ua_hash=%{matched_var}"

SecAction
"auditlog,status:412,phase:1,t:none,pass,nolog,initcol:global=global,initcol:ip=%{remote_addr}_%{tx.ua_hash}"
SecRule "REQUEST_METHOD" "@rx ^(?:GET|HEAD)$"
"log,auditlog,status:412,phase:1,chain,rev:2.1.1,t:none,block,msg:'GET or
HEAD requests with
bodies',severity:2,id:960011,tag:PROTOCOL_VIOLATION/EVASION,tag:WASCTC/WASC-21,tag:OWASP_TOP_10/A7,tag:PCI/6.5.10,tag:
http://www.w3.org/Protocols/rfc2616/rfc2616-sec4.html#sec4.3"

--29000000-Z--