Re: [mod-security-users] Outbound rules not working
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] Outbound rules not working
|
From: Walter H. <mo...@sp...> - 2015-05-15 16:27:59
|
> I am running Ubuntu 14.04 and carried out a vanilla install of modsec through apt-get. I have activated all the base-rules. It is in detection only mode and I have chosen Anomaly scoring. > > […] However I never get any Outbound alerts (leaked data etc). Do I have to do something special to enable outbound rules or data processing? I have the same problem on Ubuntu when the deflate module does gzip encoding. For some reason, ModSec scans the *gzip encoded* data in that case, so it’s useless. I don’t see this problem on FreeBSD. I’ve mentioned it on the mailinglist some time ago, but never got a response. Since we’re planning on using Linux more, I’d gladly help debug it, since I’m planning to use Ubuntu more in the future. Could you check if gzip encoding is perhaps the problem for you too? 1) Browse to something that should be blocked by the CRS, like an Apache open dir (rule 970013). in contradiction of policy, I can load the page, but it should be a 403. 2) sudo a2dismod -f deflate 3) sudo service apache2 restart 4) Reload the open dir: now it’s correctly a 403! 5) Restore normal situation with: sudo a2enmod deflate && sudo service apache2 restart If you do get a 403 at point 4, then you are suffering my problem (which is good for me) ;) Have a good weekend, WH -- Walter Hop | PGP key: https://lifeforms.nl/pgp |
