|
From: Paul B. <pau...@ou...> - 2020-02-07 17:23:32
|
Alexandre Schaff very kindly replied to me directly, and set me on the right path. Things are now sort of working, but I believe the behaviour of pause is not as I'd expect. My SecDefaultAction is pass. The ModSecurity Handbook v2, described the pause action as "Pause for a period of time, then execute allow". For this reason I removed the "pass" as it seemed to be being ignored. Although it sounds like the behaviour of pause in relation to other actions was modified back in 2013 : https://github.com/SpiderLabs/ModSecurity/issues/445 . I'd hope that this had been updated into ubuntu's libapache2-mod-security2 package. However I think the behaviour I am seeing doesn't seem to match either the pre-2013 case, or the expected behaviour suggested by that post: * pause = pause then drop * pass,pause = pause then allow Processing of additional rules does not take place: SecRule REQUEST_URI "@rx ^/slow/page" "id:2004,phase:2,log,msg:'***POST PAGE***',noauditlog,pass,pause:500,chain" SecRule REQUEST_METHOD "@rx ^POST$" # Add delay to rendering login page SecRule REQUEST_URI "@rx ^/slow/page" "id:2003,phase:2,log,msg:'***GET PAGE***',noauditlog,pass,pause:200" ie. if it matched on rule ID:2004 then rule ID:2003 doesn't get processed. Thanks, Paul ________________________________ From: SCHAFF Alexandre Sent: 07 February 2020 09:37 To: Paul Beckett <pau...@ou...> Subject: Re: modsecurity pause action seems to be causing request to be dropped Bonjour, Issue in src code when action in SecRule 'pause' interacts with SecDefaultAction sets a disruptive action. Interaction happens when there is no disruptive action in the SecRule. Try SecRule REQUEST_URI "@rx ^/slow/page" "id:2003,phase:2,pass,nolog,noauditlog,pause:371" Alexandre. ________________________________ From: Paul Beckett <pau...@ou...> Sent: Friday, February 7, 2020 8:32 AM To: mod...@li... <mod...@li...> Subject: [mod-security-users] modsecurity pause action seems to be causing request to be dropped Yesterday this seemed to be working for me, but today this rule is seems to be causing the request to be dropped Rule: SecRule REQUEST_URI "@rx ^/slow/page" "id:2003,phase:2,nolog,noauditlog,pause:371" If I comment it out page returns, uncommented curl comes straight back with: * Empty reply from server * Connection #0 to host modsectest.local left intact curl: (52) Empty reply from server This is being tested against a simple newly built test environment: Ubuntu 18.04.3 LTS Apache2 and mod-sec installed from repository Loading CRS3 If anyone can see an obvious explanation for this, I'd be very grateful. Thanks, Paul |
