Friends,

This is my first post to the mailing list. Excuse any typo(s) or brevity.

Problem Statement - I am trying to "append" a pattern with the rule(s) but is not working -

SecRule RESPONSE_CONTENT_TYPE "^text/html" "id:'6',nolog,pass,append:'<hr>Footer'"
SecRule REQUEST_FILENAME "@streq /robots.txt" "id:'7',phase:4,t:none,log,pass,append:'Disallow: /sql_backup'"

But the append rule is not working as it should. I am receiving a log for this rule, but still no text is being appended. I am working on modsecurity 2.7.4 with apache2 on Ubuntu Server.

Here is a sample of the log file,

[09/Sep/2013:18:56:53 +0530] [modsec/sid#b7034600][rid#b717b058][/robots.txt][4] Recipe: Invoking rule b7033bb8; [file "/etc/apache2/conf.d/mod.conf"] [line "46"] [id "7"].
[09/Sep/2013:18:56:53 +0530] [modsec/sid#b7034600][rid#b717b058][/robots.txt][5] Rule b7033bb8: SecRule "RESPONSE_CONTENT_TYPE" "@rx ^text/html" "phase:2,auditlog,id:7,nolog,pass,append:<hr>Footer"
[09/Sep/2013:18:56:53 +0530] [modsec/sid#b7034600][rid#b717b058][/robots.txt][4] Transformation completed in 0 usec.
[09/Sep/2013:18:56:53 +0530] [modsec/sid#b7034600][rid#b717b058][/robots.txt][4] Executing operator "rx" with param "^text/html" against RESPONSE_CONTENT_TYPE.
[09/Sep/2013:18:56:53 +0530] [modsec/sid#b7034600][rid#b717b058][/robots.txt][4] Operator completed in 2 usec.
[09/Sep/2013:18:56:53 +0530] [modsec/sid#b7034600][rid#b717b058][/robots.txt][4] Rule returned 0.
[09/Sep/2013:18:56:53 +0530] [modsec/sid#b7034600][rid#b717b058][/robots.txt][4] Hook insert_filter: Adding output filter (r b717b058).
[09/Sep/2013:18:56:53 +0530] [modsec/sid#b7034600][rid#b717b058][/robots.txt][4] Starting phase RESPONSE_HEADERS.
[09/Sep/2013:18:56:53 +0530] [modsec/sid#b7034600][rid#b717b058][/robots.txt][4] Output filter: Response body buffering is not enabled.
[09/Sep/2013:18:56:53 +0530] [modsec/sid#b7034600][rid#b717b058][/robots.txt][4] Output filter: Completed receiving response body (non-buffering).
[09/Sep/2013:18:56:53 +0530] [modsec/sid#b7034600][rid#b717b058][/robots.txt][4] Starting phase RESPONSE_BODY.
[09/Sep/2013:18:56:53 +0530] [modsec/sid#b7034600][rid#b717b058][/robots.txt][4] Recipe: Invoking rule b7033160; [file "/etc/apache2/conf.d/mod.conf"] [line "43"] [id "6"].
[09/Sep/2013:18:56:53 +0530] [modsec/sid#b7034600][rid#b717b058][/robots.txt][5] Rule b7033160: SecRule "REQUEST_FILENAME" "@streq /robots.txt" "phase:4,auditlog,id:6,t:none,log,pass,append:'Disallow: /db_backup.%{time_epoch}/# Old DB crash data'"
[09/Sep/2013:18:56:53 +0530] [modsec/sid#b7034600][rid#b717b058][/robots.txt][4] Transformation completed in 1 usec.
[09/Sep/2013:18:56:53 +0530] [modsec/sid#b7034600][rid#b717b058][/robots.txt][4] Executing operator "streq" with param "/robots.txt" against REQUEST_FILENAME.
[09/Sep/2013:18:56:53 +0530] [modsec/sid#b7034600][rid#b717b058][/robots.txt][4] Operator completed in 3 usec.
[09/Sep/2013:18:56:53 +0530] [modsec/sid#b7034600][rid#b717b058][/robots.txt][2] Warning. String match "/robots.txt" at REQUEST_FILENAME. [file "/etc/apache2/conf.d/mod.conf"] [line "43"] [id "6"]
[09/Sep/2013:18:56:53 +0530] [modsec/sid#b7034600][rid#b717b058][/robots.txt][4] Rule returned 1.
[09/Sep/2013:18:56:53 +0530] [modsec/sid#b7034600][rid#b717b058][/robots.txt][4] Output filter: Output forwarding complete.
[09/Sep/2013:18:56:53 +0530] [modsec/sid#b7034600][rid#b717b058][/robots.txt][4] Initialising logging.
[09/Sep/2013:18:56:53 +0530] [modsec/sid#b7034600][rid#b717b058][/robots.txt][4] Starting phase LOGGING.
[09/Sep/2013:18:56:53 +0530] [modsec/sid#b7034600][rid#b717b058][/robots.txt][4] Recording persistent data took 0 microseconds.
[09/Sep/2013:18:56:53 +0530] [modsec/sid#b7034600][rid#b717b058][/robots.txt][4] Audit log: Not configured to run for this request.

Count my 2.

--
Rishi Narang
Researcher | Consultant | Writer

... being anonymous is a myth, but none knows who coined it.