I have been using modsec 1 for several years and am using modsec 2 on a new server. While switching over  I have found some very odd behavior....

Example: To block an empty user agent the regex should be ^$  -- my rule is:

SecRule REQUEST_HEADERS:User-Agent "^$" \
"t:none,log,deny,status:411,t:compressWhiteSpace, t:replaceNulls, msg:'null UA'"

* The rule is as close to the beginning of the ruleset as possible
* If I make the rule phase1 it gets skipped all together in the debug output.

Default rule is:
SecDefaultAction "phase:2,deny,log,status:406,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase"

Trying a simple script against this server (file_get_contents + setting a blank UA) I get this in the logs:

IP-ADDRESS - - [22/Aug/2009:17:14:24 -0500] "GET /tools/modsectest9x.php HTTP/1.0" 200 60 "-" "-"

So a blank referer and blank UA - and yet modsec lets the connection sail thru, plus if I debug modsec (level 9) I can see the rule being eval'd and ignored. (output below is trimmed of the dat/ip/rid)

 [4] Recipe: Invoking rule 95510e8; [file "/usr/local/apache/conf/modsec2.user.conf"] [line "33"].
 [5] Rule 95510e8: SecRule "REQUEST_HEADERS:User-Agent" "@rx ^$" "phase:2,status:411,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:none,log,deny,t:compressWhiteSpace,t:replaceNulls,msg:'null UA'"
 [4] Rule returned 0.
 [9] No match, not chained -> mode NEXT_RULE.

I have ensured my IP is not whitelisted and run the script from several locations just in case
I have tried every variation of regex I can think of and then some but still nothing
I have tried every variation of the rule but no joy

* Linux s 2.6.18-128.1.10.el5PAE #1 SMP Thu May 7 11:14:31 EDT 2009 i686 i686 i386 GNU/Linux
* Apache 2.2.11
* webserver bult by theplanet for hostgator
* Modsec 2.5.9

On top of this, modsec will not catch ARGS | ARGS_POST which I use to trap comment spam keywords, or obey nolog!  :(

I am seriously thinking of downgrading to apache 1.3 and modsec 1.9x so I can just move on and get some work done!

Any suggestions or ideas of where to look?


