[mod-security-users] Outbound rules not working

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Hi all

I am running Ubuntu 14.04 and carried out a vanilla install of modsec
through apt-get.  I have activated all the base-rules.  It is in detection
only mode and I have chosen Anomaly scoring.

I have made minimal changes to the vanilla install which are:

in /etc/modsecurity/modsecurity.conf
- SecAuditLogType Concurrent
in /usr/share/modsecurity-crs/modsecurity_crs_10_setup.conf
- SecDefaultAction "phase:2,pass,log"

The website is internal and vulnerable while we test out ModSec.  This
setup works well in many counts.  I get modsec alerts in error.log such as
SQL Injection and Remote File Access attempt.  These alerts are Inbound
alerts followed by a Correlated alert.

However I never get any Outbound alerts (leaked data etc).  Do I have to do
something special to enable outbound rules or data processing?

I have checked and "SecResponseBodyAccess On" is set in modsecurity.conf
modsecurity_crs_50_outbound.conf &
modsecurity_crs_59_outbound_blocking.conf are activated rules.

I think ModSec is great - thanks to all the contributors.  Regards

Jay