Re: [mod-security-users] strange behaviors with secmarker and skipafter, help appreciated
Brought to you by:
victorhora,
zimmerletw
From: Ryan B. <RBa...@tr...> - 2011-06-17 20:56:15
|
What ModSecurity version are you using? -Ryan From: Yi Li <yi...@gm...<mailto:yi...@gm...>> Date: Fri, 17 Jun 2011 15:52:03 -0500 To: "mod...@li...<mailto:mod...@li...>" <mod...@li...<mailto:mod...@li...>> Subject: Re: [mod-security-users] strange behaviors with secmarker and skipafter, help appreciated if not use skipafter and secmarker, what are the other alternatives to bypass some rules based on the request's url? thanks. On Fri, Jun 17, 2011 at 1:24 PM, Yi Li <yi...@gm...<mailto:yi...@gm...>> wrote: I placed a few rules in a block inside SecMarker, which can be skipped with 'skipAfter' operator, if the skipAfter rule matches The skipAfter does not work as I wished and the result is really interesting. any help would be appreciated. here is what I find: 1. the skipAfter is triggered, but the rule inside the 'SecMarker'is still evaluated. 2. the log message from the rule inside in the secmarker is before the log message from the skipAfter rule. does it suggest that the engine evaluate the rule inside the secmarker first? please note that the skipAfter rule is placed before the rule inside secMarker. here is the log messages inside audit.log --ee2d1c1a-H-- Message: Warning. Pattern match "^10\.161\.2\.49$" at REMOTE_ADDR. [file "/opt/modsecurity/conf/modsecurity_crs_15_customrules.conf"] [line "10"] [msg "ip block"] [data "/webapp/wcs/stores/servlet/urlxx"] Message: Warning. Match of "contains url001,phase:1,skipAfter:AFTER_GEO_IP_CHECK,pass,msg:'skip geoip',logdata:'%{REQUEST_FILENAME}',ctl:debugLogLevel=9" against "REQUEST_FILENAME" required. [file "/opt/modsecurity/conf/modsecurity_crs_15_customrules.conf"] [line "5"] here is the rules: SecRule REQUEST_FILENAME "!@contains url01,phase:1,skipAfter:AFTER_GEO_IP_CHECK,pass,msg:'skip geoip',logdata:'%{REQUEST_FILENAME}',ctl:debugLogLevel=9" SecMarker GEO_IP_CHECK SecRule REMOTE_ADDR "^10\.128\.76\.50$" "phase:1,drop,msg:'ip block',logdata:'%{REQUEST_FILENAME}'" SecRule REMOTE_ADDR "^10\.161\.2\.49$" "phase:1,pass,msg:'ip block',logdata:'%{REQUEST_FILENAME}'" ## GeoIP blocking urles SecMarker AFTER_GEO_IP_CHECK ________________________________ This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. |