[Mod-security-rules] Append Error

[Rishi N. <ia...@pw...>]

Friends,

This is my first post to the mailing list. Excuse any typo(s) or brevity.

*Problem Statement* - I am trying to "append" a pattern with the rule(s)
but is not working -

SecRule RESPONSE_CONTENT_TYPE "^text/html"
"id:'6',nolog,pass,append:'<hr>Footer'"
SecRule REQUEST_FILENAME "@streq /robots.txt"
"id:'7',phase:4,t:none,log,pass,append:'Disallow: /sql_backup'"


But the *append* rule is not working as it should. I am receiving a log for
this rule, but still no text is being appended. I am working on modsecurity
2.7.4 with apache2 on Ubuntu Server.

Here is a sample of the log file,

[09/Sep/2013:18:56:53 +0530]
[modsec/sid#b7034600][rid#b717b058][/robots.txt][4] Recipe: Invoking rule
b7033bb8; [file "/etc/apache2/conf.d/mod.conf"] [line "46"] [id "7"].
[09/Sep/2013:18:56:53 +0530]
[modsec/sid#b7034600][rid#b717b058][/robots.txt][5] Rule b7033bb8: SecRule
"RESPONSE_CONTENT_TYPE" "@rx ^text/html"
"phase:2,auditlog,id:7,nolog,pass,append:<hr>Footer"
[09/Sep/2013:18:56:53 +0530]
[modsec/sid#b7034600][rid#b717b058][/robots.txt][4] Transformation
completed in 0 usec.
[09/Sep/2013:18:56:53 +0530]
[modsec/sid#b7034600][rid#b717b058][/robots.txt][4] Executing operator "rx"
with param "^text/html" against RESPONSE_CONTENT_TYPE.
[09/Sep/2013:18:56:53 +0530]
[modsec/sid#b7034600][rid#b717b058][/robots.txt][4] Operator completed in 2
usec.
[09/Sep/2013:18:56:53 +0530]
[modsec/sid#b7034600][rid#b717b058][/robots.txt][4] Rule returned 0.
[09/Sep/2013:18:56:53 +0530]
[modsec/sid#b7034600][rid#b717b058][/robots.txt][4] Hook insert_filter:
Adding output filter (r b717b058).
[09/Sep/2013:18:56:53 +0530]
[modsec/sid#b7034600][rid#b717b058][/robots.txt][4] Starting phase
RESPONSE_HEADERS.
[09/Sep/2013:18:56:53 +0530]
[modsec/sid#b7034600][rid#b717b058][/robots.txt][4] Output filter: Response
body buffering is not enabled.
[09/Sep/2013:18:56:53 +0530]
[modsec/sid#b7034600][rid#b717b058][/robots.txt][4] Output filter:
Completed receiving response body (non-buffering).
[09/Sep/2013:18:56:53 +0530]
[modsec/sid#b7034600][rid#b717b058][/robots.txt][4] Starting phase
RESPONSE_BODY.
[09/Sep/2013:18:56:53 +0530]
[modsec/sid#b7034600][rid#b717b058][/robots.txt][4] Recipe: Invoking rule
b7033160; [file "/etc/apache2/conf.d/mod.conf"] [line "43"] [id "6"].
[09/Sep/2013:18:56:53 +0530]
[modsec/sid#b7034600][rid#b717b058][/robots.txt][5] Rule b7033160: SecRule
"REQUEST_FILENAME" "@streq /robots.txt"
"phase:4,auditlog,id:6,t:none,log,pass,append:'Disallow:
/db_backup.%{time_epoch}/# Old DB crash data'"
[09/Sep/2013:18:56:53 +0530]
[modsec/sid#b7034600][rid#b717b058][/robots.txt][4] Transformation
completed in 1 usec.
[09/Sep/2013:18:56:53 +0530]
[modsec/sid#b7034600][rid#b717b058][/robots.txt][4] Executing operator
"streq" with param "/robots.txt" against REQUEST_FILENAME.
[09/Sep/2013:18:56:53 +0530]
[modsec/sid#b7034600][rid#b717b058][/robots.txt][4] Operator completed in 3
usec.
[09/Sep/2013:18:56:53 +0530]
[modsec/sid#b7034600][rid#b717b058][/robots.txt][2] Warning. String match
"/robots.txt" at REQUEST_FILENAME. [file "/etc/apache2/conf.d/mod.conf"]
[line "43"] [id "6"]
[09/Sep/2013:18:56:53 +0530]
[modsec/sid#b7034600][rid#b717b058][/robots.txt][4] Rule returned 1.
[09/Sep/2013:18:56:53 +0530]
[modsec/sid#b7034600][rid#b717b058][/robots.txt][4] Output filter: Output
forwarding complete.
[09/Sep/2013:18:56:53 +0530]
[modsec/sid#b7034600][rid#b717b058][/robots.txt][4] Initialising logging.
[09/Sep/2013:18:56:53 +0530]
[modsec/sid#b7034600][rid#b717b058][/robots.txt][4] Starting phase LOGGING.
[09/Sep/2013:18:56:53 +0530]
[modsec/sid#b7034600][rid#b717b058][/robots.txt][4] Recording persistent
data took 0 microseconds.
[09/Sep/2013:18:56:53 +0530]
[modsec/sid#b7034600][rid#b717b058][/robots.txt][4] Audit log: Not
configured to run for this request.


Count my 2¢.

--
Rishi Narang
Researcher | Consultant | Writer
Connect: Blog <http://www.wtfuzz.com/> /
LinkedIn<http://linkedin.com/in/rishinarang>
 / Twitter <http://twitter.com/rnarang>
*
*
*... being anonymous is a myth, but none knows who coined it.*