Re: [mod-security-users] Modsecurity 2.7.2 phase:3 not running
Brought to you by:
victorhora,
zimmerletw
From: Breno S. <bre...@gm...> - 2013-02-21 00:57:22
|
I tested here. Can you confirm if your request is not cached ? Looks like it is working fine: Returned: HTTP/1.1 200 OK Date: Wed, 20 Feb 2013 14:24:02 GMT Server: Apache/2.2.14 (Ubuntu) mod_ssl/2.2.14 OpenSSL/0.9.8k mod_fcgid/2.3.4 Accept-Ranges: bytes Vary: Accept-Encoding Content-Encoding: gzip Content-Length: 165 Keep-Alive: timeout=300 Connection: Keep-Alive Content-Type: text/html Debug.log: [20/Feb/2013:10:24:02 --0400] [ 192.168.0.105/sid#20dd7a90][rid#20df3fd0][/index.html][4] Starting phase RESPONSE_HEADERS. [20/Feb/2013:10:24:02 --0400] [ 192.168.0.105/sid#20dd7a90][rid#20df3fd0][/index.html][9] This phase consists of 1 rule(s). [20/Feb/2013:10:24:02 --0400] [ 192.168.0.105/sid#20dd7a90][rid#20df3fd0][/index.html][4] Recipe: Invoking rule 20d99638; [file "/etc/apache2/modsecurity/modsecurity_crs_15_customrules.conf"] [line "596"] [id "1500000"]. [20/Feb/2013:10:24:02 --0400] [ 192.168.0.105/sid#20dd7a90][rid#20df3fd0][/index.html][5] Rule 20d99638: SecAction "phase:3,auditlog,log,pass,msg:phase3isWorking,id:1500000" [20/Feb/2013:10:24:02 --0400] [ 192.168.0.105/sid#20dd7a90][rid#20df3fd0][/index.html][4] Transformation completed in 3 usec. [20/Feb/2013:10:24:02 --0400] [ 192.168.0.105/sid#20dd7a90][rid#20df3fd0][/index.html][4] Executing operator "unconditionalMatch" with param "" against REMOTE_ADDR. [20/Feb/2013:10:24:02 --0400] [ 192.168.0.105/sid#20dd7a90][rid#20df3fd0][/index.html][9] Target value: "192.168.0.104" [20/Feb/2013:10:24:02 --0400] [ 192.168.0.105/sid#20dd7a90][rid#20df3fd0][/index.html][4] Operator completed in 1 usec. [20/Feb/2013:10:24:02 --0400] [ 192.168.0.105/sid#20dd7a90][rid#20df3fd0][/index.html][2] Warning. Unconditional match in SecAction. [file "/etc/apache2/modsecurity/modsecurity_crs_15_customrules.conf"] [line "596"] [id "1500000"] [msg "phase3isWorking"] [20/Feb/2013:10:24:02 --0400] [ 192.168.0.105/sid#20dd7a90][rid#20df3fd0][/index.html][4] Rule returned 1. On Wed, Feb 20, 2013 at 8:06 PM, Ben WIlliams < ben...@jo...> wrote: > Yes, enabled debug log level 9 but in the case of requesting the text/html > document the rule doesn't even get evaluated (nothing in debug log for that > rule). > > > On Thu, Feb 21, 2013 at 11:39 AM, Ryan Barnett <RBa...@tr...>wrote: > >> Did you turn up debug log to 9, test and review it? >> >> -- >> Ryan Barnett >> Lead Security Researcher >> Trustwave - SpiderLabs >> >> On Feb 20, 2013, at 5:37 PM, "Ben WIlliams" < >> ben...@jo...> wrote: >> >> > Please can someone verify if this is a bug in modsecurity or just my >> installation. >> > >> > SecResponseBodyAccess On >> > SecResponseBodyMimeType text/plain text/html text/xml >> > SecResponseBodyLimit 524288 >> > SecResponseBodyLimitAction ProcessPartial >> > >> > SecAction "phase:3,log,pass,msg:'phase3isWorking',id:'1500000'" >> > >> > >> > Request a resource that returns content type text/html and the above >> rule does not run. >> > Request a resource that returns content type image/png image/jpeg etc >> and rule runs ok. >> > >> > Thanks >> > Ben >> > >> ------------------------------------------------------------------------------ >> > Everyone hates slow websites. So do we. >> > Make your web apps faster with AppDynamics >> > Download AppDynamics Lite for free today: >> > http://p.sf.net/sfu/appdyn_d2d_feb >> > _______________________________________________ >> > mod-security-users mailing list >> > mod...@li... >> > https://lists.sourceforge.net/lists/listinfo/mod-security-users >> > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >> > http://www.modsecurity.org/projects/commercial/rules/ >> > http://www.modsecurity.org/projects/commercial/support/ >> >> ________________________________ >> >> This transmission may contain information that is privileged, >> confidential, and/or exempt from disclosure under applicable law. If you >> are not the intended recipient, you are hereby notified that any >> disclosure, copying, distribution, or use of the information contained >> herein (including any reliance thereon) is STRICTLY PROHIBITED. If you >> received this transmission in error, please immediately contact the sender >> and destroy the material in its entirety, whether in electronic or hard >> copy format. >> >> > > > ------------------------------------------------------------------------------ > Everyone hates slow websites. So do we. > Make your web apps faster with AppDynamics > Download AppDynamics Lite for free today: > http://p.sf.net/sfu/appdyn_d2d_feb > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ > > |