Re: [mod-security-users] nginx and modsecurity custom rules not applied

[Ryan B. <RBa...@tr...>]

From: george Nopicture <mad...@ho...<mailto:mad...@ho...>>
Reply-To: "mod...@li...<mailto:mod...@li...>" <mod...@li...<mailto:mod...@li...>>
Date: Friday, November 1, 2013 8:21 AM
To: "mod...@li...<mailto:mod...@li...>" <mod...@li...<mailto:mod...@li...>>
Subject: Re: [mod-security-users] nginx and modsecurity custom rules not applied

Sorry list:
My bad i hadn't set the default action to pass phase 1 to enable delayed blocking mode(aka anomaly scoring)- thought that was enabled by default. Custom rules working nicely

SecRule REQUEST_URI " @contains /REST" "id:9000**,phase:1,t:none,nolog,pass,setvar:'tx.allowed_methods=GET HEAD POST OPTIONS PUT DELETE',setvar:'tx.allowed_request_content_type=application/x-www-form-urlencoded|multipart/form-data|text/xml|application/xml|text/html|application/json'"

Neat job on modsecurity from the team(now i got to find why it breaks ajax post requests with content-type:text/plain or application/x-www-form-urlencoded  in my app).

You would need to modify this line in the 10 setup config file or override it for AJAX requests (like you are doing here with REST URLs) to add "text/plain" -
https://github.com/SpiderLabs/owasp-modsecurity-crs/blob/master/modsecurity_crs_10_setup.conf.example#L279

Not sure why application-x-form-urlencoded would be triggering though.  Would have to look at an audit log event.

-Ryan

________________________________

This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.