Re: [mod-security-users] strange behaviors with secmarker and skipafter, help appreciated
Brought to you by:
victorhora,
zimmerletw
From: Yi Li <yi...@gm...> - 2011-06-17 20:52:10
|
if not use skipafter and secmarker, what are the other alternatives to bypass some rules based on the request's url? thanks. On Fri, Jun 17, 2011 at 1:24 PM, Yi Li <yi...@gm...> wrote: > > I placed a few rules in a block inside SecMarker, which can be skipped with > 'skipAfter' operator, if the skipAfter rule matches > > The skipAfter does not work as I wished and the result is really > interesting. > > any help would be appreciated. > > here is what I find: > > 1. the skipAfter is triggered, but the rule inside the 'SecMarker'is still > evaluated. > > 2. the log message from the rule inside in the secmarker is before the log > message from the skipAfter rule. > does it suggest that the engine evaluate the rule inside the secmarker > first? > please note that the skipAfter rule is placed before the rule inside > secMarker. > > here is the log messages inside audit.log > > --ee2d1c1a-H-- > Message: Warning. Pattern match "^10\.161\.2\.49$" at REMOTE_ADDR. [file > "/opt/modsecurity/conf/modsecurity_crs_15_customrules.conf"] [line "10"] > [msg "ip block"] [data "/webapp/wcs/stores/servlet/urlxx"] > Message: Warning. Match of "contains > url001,phase:1,skipAfter:AFTER_GEO_IP_CHECK,pass,msg:'skip > geoip',logdata:'%{REQUEST_FILENAME}',ctl:debugLogLevel=9" against > "REQUEST_FILENAME" required. [file > "/opt/modsecurity/conf/modsecurity_crs_15_customrules.conf"] [line "5"] > > here is the rules: > > > SecRule REQUEST_FILENAME "!@contains > url01,phase:1,skipAfter:AFTER_GEO_IP_CHECK,pass,msg:'skip > geoip',logdata:'%{REQUEST_FILENAME}',ctl:debugLogLevel=9" > > SecMarker GEO_IP_CHECK > > SecRule REMOTE_ADDR "^10\.128\.76\.50$" "phase:1,drop,msg:'ip > block',logdata:'%{REQUEST_FILENAME}'" > SecRule REMOTE_ADDR "^10\.161\.2\.49$" "phase:1,pass,msg:'ip > block',logdata:'%{REQUEST_FILENAME}'" > > ## GeoIP blocking urles > > SecMarker AFTER_GEO_IP_CHECK > > > > > |