[mod-security-users] DetectionOnly - how to force a deny?
Brought to you by:
victorhora,
zimmerletw
From: Jeremiah B. <jb...@ev...> - 2014-06-12 23:22:40
|
Hi Everyone, In 2.8.0, is it possible to override SecRuleEngine DetectionOnly with Deny for specific rules? I recall being able to do this in 2.6 and 2.7. I am hoping to deny bad uploads with my custom @inspectFile rule and just inspect everything else while I ease into production. SecRule FILES_TMPNAMES "@inspectFile /etc/apache2/modsecurity.d/util/av-scanning/runav.pl" \ "phase:2,t:none,log,deny,msg:'A virus or malicious content was found in uploaded file',id:'950115',tag:'MALICIOUS_SOFTWARE/VIRUS',tag:'PCI/5.1',severity:'2',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{ rule.id}-MALICIOUS_SOFTWARE/VIRUS-%{matched_var_name}=%{tx.0}" Some config info : OWASP_CRS/2.2.9 SecDefaultAction "phase:2,pass,log" SecAction \ "id:'900004', \ phase:1, \ t:none, \ setvar:tx.anomaly_score_blocking=on, \ nolog, \ pass" ~Jeremy |