Re: [mod-security-users] strange behaviors with secmarker and skipafter, help appreciated

[Yi Li <yi...@gm...>]

if  not use skipafter and secmarker, what are the other alternatives to
bypass some rules based on the request's url?
thanks.

On Fri, Jun 17, 2011 at 1:24 PM, Yi Li <yi...@gm...> wrote:

>
> I placed a few rules in a block inside SecMarker, which can be skipped with
> 'skipAfter' operator, if the skipAfter rule matches
>
> The skipAfter does not work as I wished and the result is really
> interesting.
>
> any help would be appreciated.
>
> here is what I find:
>
> 1. the skipAfter is triggered, but the rule inside the 'SecMarker'is still
> evaluated.
>
> 2. the log message from the rule inside in the secmarker is before the log
> message from the skipAfter rule.
>    does it suggest that the engine evaluate the rule inside the secmarker
> first?
>    please note that the skipAfter rule is placed before the rule inside
> secMarker.
>
> here is the log messages inside audit.log
>
> --ee2d1c1a-H--
> Message: Warning. Pattern match "^10\.161\.2\.49$" at REMOTE_ADDR. [file
> "/opt/modsecurity/conf/modsecurity_crs_15_customrules.conf"] [line "10"]
> [msg "ip block"] [data "/webapp/wcs/stores/servlet/urlxx"]
> Message: Warning. Match of "contains
> url001,phase:1,skipAfter:AFTER_GEO_IP_CHECK,pass,msg:'skip
> geoip',logdata:'%{REQUEST_FILENAME}',ctl:debugLogLevel=9" against
> "REQUEST_FILENAME" required. [file
> "/opt/modsecurity/conf/modsecurity_crs_15_customrules.conf"] [line "5"]
>
> here is the rules:
>
>
> SecRule REQUEST_FILENAME "!@contains
> url01,phase:1,skipAfter:AFTER_GEO_IP_CHECK,pass,msg:'skip
> geoip',logdata:'%{REQUEST_FILENAME}',ctl:debugLogLevel=9"
>
> SecMarker GEO_IP_CHECK
>
> SecRule REMOTE_ADDR "^10\.128\.76\.50$" "phase:1,drop,msg:'ip
> block',logdata:'%{REQUEST_FILENAME}'"
> SecRule REMOTE_ADDR "^10\.161\.2\.49$" "phase:1,pass,msg:'ip
> block',logdata:'%{REQUEST_FILENAME}'"
>
> ## GeoIP blocking urles
>
> SecMarker AFTER_GEO_IP_CHECK
>
>
>
>
>