Thread: Re: [Mod-security-developers] WS2008 R2 SP1 (64bit) IIS 7.5
Brought to you by:
victorhora,
zimmerletw
From: Greg W. <gwr...@ho...> - 2012-10-31 07:36:40
|
Could you send us the details of the crash events? Or even better a crash dump if possible. Did you enable ModSecurity in your web.config file? If not, then there should be no crash for sure. We had an issue with a crash when the ModSecurity configuration file with rules was missing (in most cases you would put it in the same folder where web.config is), but it was fixed. Greg > Date: Thu, 25 Oct 2012 15:57:09 +0200 > From: Jan van Valen jan...@it... > Subject: [Mod-security-developers] WS2008 R2 SP1 (64bit) IIS 7.5 > ModSecurityiis.dll crash (2.7.0) > To: "mod...@li..." > <mod...@li...> > Message-ID: > <F0F...@ti...> > > Content-Type: text/plain; charset="us-ascii" > > Hi, > > Trying to get ModSecurity 2.7.0 to work on a windows server 2008 R2 SP1 with IIS7.5 to no avail. > This is what I tried so far: > > - Installer 2.7.0.msi > > - Downloaded the debug version followed the reference manual: https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#wiki-Installation_for_Microsoft_IIS > > - Copied and registered everything in either System32 (32bit) and SysWOW64 (64bit) > > - Did a DepencyWalker which only mentioned IEFRAME.DLL for which I read online that's almost always the case. > > - Reinstalled vcredist_x64 > > - Set the application pool to 'Enable 32-Bit Applications' > > All result in 'HTTP Error 503. The service is unavailable' and crash events for modsecurityiis.dll in the Application Event log. > > On http://blog.spiderlabs.com/2012/07/announcing-the-availability-of-modsecurity-extension-for-iis.html in the comments it states that 'you can add the modsecurity.conf file into the wwwroot'. > I'm a little confused about what that location should be. > > In my situation I have the default website removed. Created a website in d:\websites\website. > Where should I put the conf and the rules? )If that should solve my problem. > > What else can I do to make it work? > Thnx, > JamBo |
From: Greg W. <gwr...@ho...> - 2012-11-16 21:03:38
|
The event log error clearly indicates an issue with the installation. I just did a fresh test with latest bits on WS2008 R2 and everything worked for me. I used the administrator command line installation method and here is my output: Microsoft Windows [Version 6.1.7600] Copyright (c) 2009 Microsoft Corporation. All rights reserved.C:\Users\gwroblew>cd \temp\modsecurityC:\Temp\modsecurity>copyfiles.batC:\Temp\modsecurity>IF /I AMD64 == x86 GOTO x86C:\Temp\modsecurity>copy x86\*.dll C:\Windows\syswow64\inetsrv x86\libapr-1.dll x86\libapriconv-1.dll x86\libaprutil-1.dll x86\libcurl.dll x86\libxml2.dll x86\lua5.1.dll x86\ModSecurityIIS.dll x86\pcre.dll x86\zlib1.dll 9 file(s) copied.C:\Temp\modsecurity>copy amd64\*.dll C:\Windows\system32\inetsrv amd64\libapr-1.dll amd64\libapriconv-1.dll amd64\libaprutil-1.dll amd64\libcurl.dll amd64\libxml2.dll amd64\lua5.1.dll amd64\ModSecurityIIS.dll amd64\pcre.dll amd64\zlib1.dll 9 file(s) copied.C:\Temp\modsecurity>copy x86\*.pdb C:\Windows\syswow64\inetsrv x86\libapr-1.pdb x86\libapriconv-1.pdb x86\libaprutil-1.pdb x86\libcurl.pdb x86\lua5.1.pdb x86\ModSecurityIIS.pdb x86\pcre.pdb x86\zlib1.pdb 8 file(s) copied.C:\Temp\modsecurity>copy amd64\*.pdb C:\Windows\system32\inetsrv amd64\libapr-1.pdb amd64\libapriconv-1.pdb amd64\libaprutil-1.pdb amd64\libcurl.pdb amd64\lua5.1.pdb amd64\ModSecurityIIS.pdb amd64\pcre.pdb amd64\zlib1.pdb 8 file(s) copied.C:\Temp\modsecurity>GOTO endC:\Temp\modsecurity>register.batC:\Temp\modsecurity>pushd \C:\>cd C:\Windows\system32\inetsrvC:\Windows\System32\inetsrv>appcmd.exe install module /name:ModSecurityIIS /imag e:C:\Windows\system32\inetsrv\modsecurityiis.dll GLOBAL MODULE object "ModSecurityIIS" added MODULE object "ModSecurityIIS" addedC:\Windows\System32\inetsrv>popdC:\Temp\modsecurity>addschema.batC:\Temp\modsecurity>iisschema.exe /install ModSecurity.xml Installing schema file: C:\Temp\modsecurity\ModSecurity.xml Installed schema file: C:\Windows\system32\inetsrv\config\schema\ModSecurity.xmlRegistered section: system.webServer/ModSecurity Finished After that I modified a web.config file, added ModSecurity config file to wwwroot and it worked as expected. Greg > ------------------------------ > > Message: 6 > Date: Thu, 15 Nov 2012 16:04:56 +0100 > From: Jan van Valen <jan...@it...> > Subject: Re: [Mod-security-developers] WS2008 R2 SP1 (64bit) IIS 7.5 > To: "mod...@li..." > <mod...@li...> > Message-ID: > <F0F...@ti...> > > Content-Type: text/plain; charset="us-ascii" > > Greg, > > Did the same tests with the new 2.7.1 but no progress. > > In the event log I only have: > > The Module DLL 'C:\Windows\system32\inetsrv\modsecurityiis.dll' could not be loaded due to a configuration problem. The current configuration only supports loading images built for a x86 processor architecture. The data field contains the error number. > > I have modsecurity enabled in the web.config (without, the error is also present - when I add <remove name="ModSecurityIIS" /> no error) > The webconfig is set to: <ModSecurity enabled="true" configFile="c:\websites\wesbitename\modsecurity.conf" /> > > The conf file is at the same level as the web.config. > As the error points to a 'configuration problem' I fear my conf is wrong. I worked through the wiki and google but cannot find any pointers to how this conf should be configured for windows and where the actual activated_rules should be. > > modsecurity.conf (comments removed): > ********************************************** > SecComponentSignature "OWASP_CRS/2.2.6" > SecDefaultAction "phase:1,deny,nolog,auditlog" > SecAction \ > "id:'900001', \ > phase:1, \ > t:none, \ > setvar:tx.critical_anomaly_score=5, \ > setvar:tx.error_anomaly_score=4, \ > setvar:tx.warning_anomaly_score=3, \ > setvar:tx.notice_anomaly_score=2, \ > nolog, \ > pass" > SecAction \ > "id:'900002', \ > phase:1, \ > t:none, \ > setvar:tx.inbound_anomaly_score_level=5, \ > nolog, \ > pass" > SecAction \ > "id:'900003', \ > phase:1, \ > t:none, \ > setvar:tx.outbound_anomaly_score_level=4, \ > nolog, \ > pass" > #SecAction \ > "id:'900004', \ > phase:1, \ > t:none, \ > setvar:tx.anomaly_score_blocking=on, \ > nolog, \ > pass" > #SecGeoLookupDb /opt/modsecurity/lib/GeoLiteCity.dat > #SecRule REMOTE_ADDR "@ipMatch 192.168.1.100" \ > "id:'900005', \ > phase:1, \ > t:none, \ > ctl:ruleEngine=DetectionOnly, \ > setvar:tx.regression_testing=1, \ > nolog, \ > pass" > SecAction \ > "id:'900006', \ > phase:1, \ > t:none, \ > setvar:tx.max_num_args=255, \ > nolog, \ > pass" > #SecAction \ > "id:'900007', \ > phase:1, \ > t:none, \ > setvar:tx.arg_name_length=100, \ > nolog, \ > pass" > #SecAction \ > "id:'900008', \ > phase:1, \ > t:none, \ > setvar:tx.arg_length=400, \ > nolog, \ > pass" > #SecAction \ > "id:'900009', \ > phase:1, \ > t:none, \ > setvar:tx.total_arg_length=64000, \ > nolog, \ > pass" > #SecAction \ > "id:'900010', \ > phase:1, \ > t:none, \ > setvar:tx.max_file_size=1048576, \ > nolog, \ > pass" > #SecAction \ > "id:'900011', \ > phase:1, \ > t:none, \ > setvar:tx.combined_file_sizes=1048576, \ > nolog, \ > pass" > SecAction \ > "id:'900012', \ > phase:1, \ > t:none, \ > setvar:'tx.allowed_methods=GET HEAD POST OPTIONS', \ > setvar:'tx.allowed_request_content_type=application/x-www-form-urlencoded|multipart/form-data|text/xml|application/xml|application/x-amf|application/json', \ > setvar:'tx.allowed_http_versions=HTTP/0.9 HTTP/1.0 HTTP/1.1', \ > setvar:'tx.restricted_extensions=.asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .resources/ .resx/ .sql/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/', \ > setvar:'tx.restricted_headers=/Proxy-Connection/ /Lock-Token/ /Content-Range/ /Translate/ /via/ /if/', \ > nolog, \ > pass" > #SecAction \ > "id:'900013', \ > phase:1, \ > t:none, \ > setvar:tx.csp_report_only=1, \ > setvar:tx.csp_report_uri=/csp_violation_report, \ > setenv:'csp_policy=allow \'self\'; img-src *.yoursite.com; media-src *.yoursite.com; style-src *.yoursite.com; frame-ancestors *.yoursite.com; script-src *.yoursite.com; report-uri %{tx.csp_report_uri}', \ > nolog, \ > pass" > #SecAction \ > "id:'900014', \ > phase:1, \ > t:none, \ > setvar:'tx.brute_force_protected_urls=/login.jsp /partner_login.php', \ > setvar:'tx.brute_force_burst_time_slice=60', \ > setvar:'tx.brute_force_counter_threshold=10', \ > setvar:'tx.brute_force_block_timeout=300', \ > nolog, \ > pass" > #SecAction \ > "id:'900015', \ > phase:1, \ > t:none, \ > setvar:'tx.dos_burst_time_slice=60', \ > setvar:'tx.dos_counter_threshold=100', \ > setvar:'tx.dos_block_timeout=600', \ > nolog, \ > pass" > SecAction \ > "id:'900016', \ > phase:1, \ > t:none, \ > setvar:tx.crs_validate_utf8_encoding=1, \ > nolog, \ > pass" > SecRule REQUEST_HEADERS:Content-Type "text/xml" \ > "id:'900017', \ > phase:1, \ > t:none,t:lowercase, \ > nolog, \ > pass, \ > chain" > SecRule REQBODY_PROCESSOR "!@streq XML" \ > "ctl:requestBodyProcessor=XML" > SecRule REQUEST_HEADERS:User-Agent "^(.*)$" \ > "id:'900018', \ > phase:1, \ > t:none,t:sha1,t:hexEncode, \ > setvar:tx.ua_hash=%{matched_var}, \ > nolog, \ > pass" > SecRule REQUEST_HEADERS:x-forwarded-for "^\b(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\b" \ > "id:'900019', \ > phase:1, \ > t:none, \ > capture, \ > setvar:tx.real_ip=%{tx.1}, \ > nolog, \ > pass" > SecRule &TX:REAL_IP "!@eq 0" \ > "id:'900020', \ > phase:1, \ > t:none, \ > initcol:global=global, \ > initcol:ip=%{tx.real_ip}_%{tx.ua_hash}, \ > nolog, \ > pass" > SecRule &TX:REAL_IP "@eq 0" \ > "id:'900021', \ > phase:1, \ > t:none, \ > initcol:global=global, \ > initcol:ip=%{remote_addr}_%{tx.ua_hash}, \ > nolog, \ > pass" > ************************************************** > Reagards, > JamBo > -------------- next part -------------- > An HTML attachment was scrubbed... > > ------------------------------ > > ------------------------------------------------------------------------------ > Monitor your physical, virtual and cloud infrastructure from a single > web console. Get in-depth insight into apps, servers, databases, vmware, > SAP, cloud infrastructure, etc. Download 30-day Free Trial. > Pricing starts from $795 for 25 servers or applications! > http://p.sf.net/sfu/zoho_dev2dev_nov > > ------------------------------ > > _______________________________________________ > mod-security-developers mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-developers > > > End of mod-security-developers Digest, Vol 25, Issue 2 > ****************************************************** |
From: Jan v. V. <jan...@it...> - 2012-11-19 15:28:56
|
Greg, Thank you so much for your time. But I'm about to give up...;( Created a website under the c:\inetpub\wwwroot\ -> website This website runs fine without modsecurity. I did exactly like you did(used the administrator command line installation method) and my output is exactly the same. In the web.config I set <ModSecurity enabled="true" configFile="c:\inetpub\wwwroot\website\ModSecurity.xml" /> The same error still occurs. I also tried placing the conf a level higher: <ModSecurity enabled="true" configFile="c:\inetpub\wwwroot\ModSecurity.xml" /> The same error still occurs. Still, I'm confused where to place the rules files themselves, i.e. modsecurity_35_bad_robots.data, modsecurity_crs_20_protocol_violations.conf etc... Thnx, JamBo |
From: Greg W. <gwr...@ho...> - 2012-11-20 18:35:31
|
Let's not give up, we might be onto something very important. Was your configuration Win2k8 R2 SP1 64bit?Did you run the scripts in 32-bit or 64-bit CMD window? Was it a clean installation of the OS? I would really like to nail down the configuration required to reproduce this problem. Thanks,Greg> From: mod...@li... > Subject: mod-security-developers Digest, Vol 25, Issue 3 > To: mod...@li... > Date: Mon, 19 Nov 2012 15:28:56 +0000 > > Send mod-security-developers mailing list submissions to > mod...@li... > > To subscribe or unsubscribe via the World Wide Web, visit > https://lists.sourceforge.net/lists/listinfo/mod-security-developers > or, via email, send a message with subject or body 'help' to > mod...@li... > > You can reach the person managing the list at > mod...@li... > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of mod-security-developers digest..." > > > Today's Topics: > > 1. Re: WS2008 R2 SP1 (64bit) IIS 7.5 (Greg Wroblewski) > 2. Re: WS2008 R2 SP1 (64bit) IIS 7.5 (Jan van Valen) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Fri, 16 Nov 2012 13:03:31 -0800 > From: Greg Wroblewski <gwr...@ho...> > Subject: Re: [Mod-security-developers] WS2008 R2 SP1 (64bit) IIS 7.5 > To: "mod...@li..." > <mod...@li...> > Message-ID: <BLU...@ph...l> > Content-Type: text/plain; charset="iso-8859-1" > > The event log error clearly indicates an issue with the installation. I just did a fresh test with latest bits on WS2008 R2 and everything worked for me. I used the administrator command line installation method and here is my output: Microsoft Windows [Version 6.1.7600] > Copyright (c) 2009 Microsoft Corporation. All rights reserved.C:\Users\gwroblew>cd \temp\modsecurityC:\Temp\modsecurity>copyfiles.batC:\Temp\modsecurity>IF /I AMD64 == x86 GOTO x86C:\Temp\modsecurity>copy x86\*.dll C:\Windows\syswow64\inetsrv > x86\libapr-1.dll > x86\libapriconv-1.dll > x86\libaprutil-1.dll > x86\libcurl.dll > x86\libxml2.dll > x86\lua5.1.dll > x86\ModSecurityIIS.dll > x86\pcre.dll > x86\zlib1.dll > 9 file(s) copied.C:\Temp\modsecurity>copy amd64\*.dll C:\Windows\system32\inetsrv > amd64\libapr-1.dll > amd64\libapriconv-1.dll > amd64\libaprutil-1.dll > amd64\libcurl.dll > amd64\libxml2.dll > amd64\lua5.1.dll > amd64\ModSecurityIIS.dll > amd64\pcre.dll > amd64\zlib1.dll > 9 file(s) copied.C:\Temp\modsecurity>copy x86\*.pdb C:\Windows\syswow64\inetsrv > x86\libapr-1.pdb > x86\libapriconv-1.pdb > x86\libaprutil-1.pdb > x86\libcurl.pdb > x86\lua5.1.pdb > x86\ModSecurityIIS.pdb > x86\pcre.pdb > x86\zlib1.pdb > 8 file(s) copied.C:\Temp\modsecurity>copy amd64\*.pdb C:\Windows\system32\inetsrv > amd64\libapr-1.pdb > amd64\libapriconv-1.pdb > amd64\libaprutil-1.pdb > amd64\libcurl.pdb > amd64\lua5.1.pdb > amd64\ModSecurityIIS.pdb > amd64\pcre.pdb > amd64\zlib1.pdb > 8 file(s) copied.C:\Temp\modsecurity>GOTO endC:\Temp\modsecurity>register.batC:\Temp\modsecurity>pushd \C:\>cd C:\Windows\system32\inetsrvC:\Windows\System32\inetsrv>appcmd.exe install module /name:ModSecurityIIS /imag > e:C:\Windows\system32\inetsrv\modsecurityiis.dll > GLOBAL MODULE object "ModSecurityIIS" added > MODULE object "ModSecurityIIS" addedC:\Windows\System32\inetsrv>popdC:\Temp\modsecurity>addschema.batC:\Temp\modsecurity>iisschema.exe /install ModSecurity.xml > Installing schema file: C:\Temp\modsecurity\ModSecurity.xml > Installed schema file: C:\Windows\system32\inetsrv\config\schema\ModSecurity.xmlRegistered section: system.webServer/ModSecurity > Finished > After that I modified a web.config file, added ModSecurity config file to wwwroot and it worked as expected. > Greg > ------------------------------ |
From: Jan v. V. <jan...@it...> - 2012-11-15 15:05:11
|
Greg, Did the same tests with the new 2.7.1 but no progress. In the event log I only have: The Module DLL 'C:\Windows\system32\inetsrv\modsecurityiis.dll' could not be loaded due to a configuration problem. The current configuration only supports loading images built for a x86 processor architecture. The data field contains the error number. I have modsecurity enabled in the web.config (without, the error is also present - when I add <remove name="ModSecurityIIS" /> no error) The webconfig is set to: <ModSecurity enabled="true" configFile="c:\websites\wesbitename\modsecurity.conf" /> The conf file is at the same level as the web.config. As the error points to a 'configuration problem' I fear my conf is wrong. I worked through the wiki and google but cannot find any pointers to how this conf should be configured for windows and where the actual activated_rules should be. modsecurity.conf (comments removed): ********************************************** SecComponentSignature "OWASP_CRS/2.2.6" SecDefaultAction "phase:1,deny,nolog,auditlog" SecAction \ "id:'900001', \ phase:1, \ t:none, \ setvar:tx.critical_anomaly_score=5, \ setvar:tx.error_anomaly_score=4, \ setvar:tx.warning_anomaly_score=3, \ setvar:tx.notice_anomaly_score=2, \ nolog, \ pass" SecAction \ "id:'900002', \ phase:1, \ t:none, \ setvar:tx.inbound_anomaly_score_level=5, \ nolog, \ pass" SecAction \ "id:'900003', \ phase:1, \ t:none, \ setvar:tx.outbound_anomaly_score_level=4, \ nolog, \ pass" #SecAction \ "id:'900004', \ phase:1, \ t:none, \ setvar:tx.anomaly_score_blocking=on, \ nolog, \ pass" #SecGeoLookupDb /opt/modsecurity/lib/GeoLiteCity.dat #SecRule REMOTE_ADDR "@ipMatch 192.168.1.100" \ "id:'900005', \ phase:1, \ t:none, \ ctl:ruleEngine=DetectionOnly, \ setvar:tx.regression_testing=1, \ nolog, \ pass" SecAction \ "id:'900006', \ phase:1, \ t:none, \ setvar:tx.max_num_args=255, \ nolog, \ pass" #SecAction \ "id:'900007', \ phase:1, \ t:none, \ setvar:tx.arg_name_length=100, \ nolog, \ pass" #SecAction \ "id:'900008', \ phase:1, \ t:none, \ setvar:tx.arg_length=400, \ nolog, \ pass" #SecAction \ "id:'900009', \ phase:1, \ t:none, \ setvar:tx.total_arg_length=64000, \ nolog, \ pass" #SecAction \ "id:'900010', \ phase:1, \ t:none, \ setvar:tx.max_file_size=1048576, \ nolog, \ pass" #SecAction \ "id:'900011', \ phase:1, \ t:none, \ setvar:tx.combined_file_sizes=1048576, \ nolog, \ pass" SecAction \ "id:'900012', \ phase:1, \ t:none, \ setvar:'tx.allowed_methods=GET HEAD POST OPTIONS', \ setvar:'tx.allowed_request_content_type=application/x-www-form-urlencoded|multipart/form-data|text/xml|application/xml|application/x-amf|application/json', \ setvar:'tx.allowed_http_versions=HTTP/0.9 HTTP/1.0 HTTP/1.1', \ setvar:'tx.restricted_extensions=.asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .resources/ .resx/ .sql/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/', \ setvar:'tx.restricted_headers=/Proxy-Connection/ /Lock-Token/ /Content-Range/ /Translate/ /via/ /if/', \ nolog, \ pass" #SecAction \ "id:'900013', \ phase:1, \ t:none, \ setvar:tx.csp_report_only=1, \ setvar:tx.csp_report_uri=/csp_violation_report, \ setenv:'csp_policy=allow \'self\'; img-src *.yoursite.com; media-src *.yoursite.com; style-src *.yoursite.com; frame-ancestors *.yoursite.com; script-src *.yoursite.com; report-uri %{tx.csp_report_uri}', \ nolog, \ pass" #SecAction \ "id:'900014', \ phase:1, \ t:none, \ setvar:'tx.brute_force_protected_urls=/login.jsp /partner_login.php', \ setvar:'tx.brute_force_burst_time_slice=60', \ setvar:'tx.brute_force_counter_threshold=10', \ setvar:'tx.brute_force_block_timeout=300', \ nolog, \ pass" #SecAction \ "id:'900015', \ phase:1, \ t:none, \ setvar:'tx.dos_burst_time_slice=60', \ setvar:'tx.dos_counter_threshold=100', \ setvar:'tx.dos_block_timeout=600', \ nolog, \ pass" SecAction \ "id:'900016', \ phase:1, \ t:none, \ setvar:tx.crs_validate_utf8_encoding=1, \ nolog, \ pass" SecRule REQUEST_HEADERS:Content-Type "text/xml" \ "id:'900017', \ phase:1, \ t:none,t:lowercase, \ nolog, \ pass, \ chain" SecRule REQBODY_PROCESSOR "!@streq XML" \ "ctl:requestBodyProcessor=XML" SecRule REQUEST_HEADERS:User-Agent "^(.*)$" \ "id:'900018', \ phase:1, \ t:none,t:sha1,t:hexEncode, \ setvar:tx.ua_hash=%{matched_var}, \ nolog, \ pass" SecRule REQUEST_HEADERS:x-forwarded-for "^\b(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\b" \ "id:'900019', \ phase:1, \ t:none, \ capture, \ setvar:tx.real_ip=%{tx.1}, \ nolog, \ pass" SecRule &TX:REAL_IP "!@eq 0" \ "id:'900020', \ phase:1, \ t:none, \ initcol:global=global, \ initcol:ip=%{tx.real_ip}_%{tx.ua_hash}, \ nolog, \ pass" SecRule &TX:REAL_IP "@eq 0" \ "id:'900021', \ phase:1, \ t:none, \ initcol:global=global, \ initcol:ip=%{remote_addr}_%{tx.ua_hash}, \ nolog, \ pass" ************************************************** Reagards, JamBo |