I've downloaded and used the rules from OWASP

modsecurity_35_bad_robots.data             modsecurity_50_outbound.data                   modsecurity_crs_48_local_exceptions.conf
modsecurity_35_scanners.data               modsecurity_50_outbound_malware.data           modsecurity_crs_49_inbound_blocking.conf
modsecurity_40_generic_attacks.data        modsecurity_crs_41_phpids_converter.conf       modsecurity_crs_50_outbound.conf
modsecurity_41_sql_injection_attacks.data  modsecurity_crs_41_phpids_filters.conf         modsecurity_crs_59_outbound_blocking.conf
modsecurity_42_comment_spam.data           modsecurity_crs_41_sql_injection_attacks.conf  modsecurity_crs_60_correlation.conf
modsecurity_46_et_sql_injection.data       modsecurity_crs_41_xss_attacks.conf            
modsecurity_46_et_web_rules.data           modsecurity_crs_47_common_exceptions.conf
modsecurity_crs_20_protocol_violations.conf  modsecurity_crs_30_http_policy.conf          modsecurity_crs_42_tight_security.conf
modsecurity_crs_21_protocol_anomalies.conf   modsecurity_crs_35_bad_robots.conf           modsecurity_crs_45_trojans.conf
modsecurity_crs_23_request_limits.conf       modsecurity_crs_40_generic_attacks.conf

I've configure SecDefaultAction "phase:2,drop,log"


On Wed, Oct 27, 2010 at 9:45 AM, Ryan Barnett <RBarnett@trustwave.com> wrote:
On 10/27/10 9:21 AM, "robert mena" <robert.mena@gmail.com> wrote:

> Hi,
>
> Is there a way to test with standard attack vectors to see if mod_security is
> blocking the attemps for (example), sql injection?
>
> I've enabled and tried with www.mysite.com/?u=1 <http://www.mysite.com/?u=1>
> OR 1=1 but no message is logged in /var/log/httpd/error-log
>

What rule set are you using?  When I test your payload against our public
OWASP Core Rule Set (CRS) Demo is triggers SQL Injection alerts -
http://www.modsecurity.org/demo/phpids?test=1+OR+1%3D1

-Ryan