On Sunday 23 August 2009 12:54:19 pm Steve Warwick wrote:
> I have been using modsec 1 for several years and am using modsec 2 on a new
> server. While switching over I have found some very odd behavior....
>
> Example: To block an empty user agent the regex should be ^$ -- my rule
> is:
>
> SecRule REQUEST_HEADERS:User-Agent "^$" \
> "t:none,log,deny,status:411,t:compressWhiteSpace, t:replaceNulls, msg:'null
> UA'"
>
> * The rule is as close to the beginning of the ruleset as possible
> * If I make the rule phase1 it gets skipped all together in the debug
> output.
>
> Default rule is:
> SecDefaultAction
> "phase:2,deny,log,status:406,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase"
>
>
>
> Trying a simple script against this server (file_get_contents + setting a
> blank UA) I get this in the logs:
>
> IP-ADDRESS - - [22/Aug/2009:17:14:24 -0500] "GET /tools/modsectest9x.php
> HTTP/1.0" 200 60 "-" "-"
>
> So a blank referer and blank UA - and yet modsec lets the connection sail
> thru, plus if I debug modsec (level 9) I can see the rule being eval'd and
> ignored. (output below is trimmed of the dat/ip/rid)
>
> [4] Recipe: Invoking rule 95510e8; [file
> "/usr/local/apache/conf/modsec2.user.conf"] [line "33"]. [5] Rule 95510e8:
> SecRule "REQUEST_HEADERS:User-Agent" "@rx ^$"
> "phase:2,status:411,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:none,lo
>g,deny,t:compressWhiteSpace,t:replaceNulls,msg:'null UA'" [4] Rule returned
> 0.
> [9] No match, not chained -> mode NEXT_RULE.
>
>
>
>
> I have ensured my IP is not whitelisted and run the script from several
> locations just in case I have tried every variation of regex I can think of
> and then some but still nothing I have tried every variation of the rule
> but no joy
>
>
>
> * Linux s 2.6.18-128.1.10.el5PAE #1 SMP Thu May 7 11:14:31 EDT 2009 i686
> i686 i386 GNU/Linux * Apache 2.2.11
> * webserver bult by theplanet for hostgator
> * Modsec 2.5.9
>


Steve, check out this blog post on this topic - http://blog.modsecurity.org/2007/03/211x-rule-diffe.html. Basically, the older Mod rule syntax you are using will identify two separate issues - if a header is missing *or* if it is present but empty. In the new rules syntax, there are different methods for handling either of those cases.


> On top of this, modsec will not catch ARGS | ARGS_POST which I use to trap
> comment spam keywords, or obey nolog! :(
>


Please provide an example of where it is nor working as you expect. These variables re still there in Mod 2.5.x.
http://www.modsecurity.org/documentation/modsecurity-apache/2.5.9/modsecurity2-apache-reference.html#N10DA7


> I am seriously thinking of downgrading to apache 1.3 and modsec 1.9x so I
> can just move on and get some work done!
>
>
> Any suggestions or ideas of where to look?
>
>
>
>
> Steve
>
> Note: This email is CONFIDENTIAL and contains information intended only for
> the party to whom it is addressed. No reproduction of this email may be
> made without the written consent of the original sender.