[mod-security-users] Squirrelmail and logging

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello all,

I found that ModSec, out of the box, blocks my Squirrelmail implementation.

Most of Squirrelmail's functions seem to hit rule 900018, a few hit
950109, and composing a message hits 900045, 900017, 900059, 90008, 90004
and 900043!

To get round this I put a rule in modsecurity_localrules.conf which read:
SecRule REQUEST_URI "@rx
(compose|delete_message|options|move_messages|gpg_pop_init.php)\.php"
"pass,ctl:ruleEngine=DetectionOnly"
(The URI is always something like /webmail/src/compose.php)

This worked, but the events were always logged, and filled up my
AuditConsole so I couldn't focus on the important stuff.
So as the list of URIs seemed to grow inexorably, I recently tried to
change this rule to make it more flexible and prevent the logging. This is
what I have at the moment:

SecRule REQUEST_URI "@rx \/webmail\/src\/"
"pass,nolog,noauditlog,ctl:ruleEngine=DetectionOnly"

It doesn't work. Squirrelmail does function (although some things - like
the spellcheck function - do get blocked) the events are all still logged
in the AuditConsole.

How should I change my rule to make it work - or better still - is there a
simpler way of allowing Squirrelmail to function?

Thanks...

Mark
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iEYEARECAAYFAk4RjyUACgkQ75heFf3niHIncACgjuAdd7y1YB4W+EEH32NCjFkE
kcoAn1SfdA8r6ZisGqG9Uf0KxrI9WUwp
=+qAR
-----END PGP SIGNATURE-----