I tried the following but still can not start the apache. One interesting things, if I start up the apache then I change the httpd.conf to add this rule. I can not stop the apache.

I tried this (with double quote in action list)

SecRule REQUEST_URI_RAW "http://" "log,drop,phase:1,msg:'Possible Attack'"

Then I change to this.

SecRule REQUEST_URI_RAW "http:/" "phase:1,t:none,t:urlDecode,t:lowercase,t:normalisePath"

I try this without problem, it works fine. Only the REQUEST_URI_RAW has problem.

SecRule REQUEST_HEADERS:User-Agent "^Mozilla" "log,drop,phase:1,msg:'Possible Brute Force Attack'"

For my apache, I only install the --with-unique-id, without extra modules.

On Fri, May 28, 2010 at 7:19 PM, Ryan Barnett <Ryan.Barnett@breach.com> wrote:

Try putting double quotes around your action list.

Ryan C. Barnett
Director of Application Security Research
Breach Security, Inc.

From: Ma Fai
To: mod-security-users@lists.sourceforge.net
Sent: Fri May 28 06:57:03 2010
Subject: [mod-security-users] Can not start up after add REQUEST_URI_RAW
I use the based modsecurity_crs_10_config.conf

Include conf/modsecurity_crs/*.conf

SecRule REQUEST_URI_RAW "http:/" phase:1,t:none,t:urlDecode,t:lowercase,t:normalisePath

after I add SecRule REQUEST_URI_RAW, then the apache can not start up, halt & no response. The httpd can not start it up.

Any one has experience on it?