|
From: Steve H. <ham...@gm...> - 2020-06-10 20:00:12
|
I think it would probably be easier to do a redirect in your web server configuration - like in your Apache Virtual Host
The rules you wrote look like they would be ok then.
They would have to go at the end of the modsecurity.conf file with the SecDefaultAction first.
I don’t think you even need to add a SecDefaultAction for what you are doing since you only want one rule.
Try putting this at the very end of your modsecurity.conf
------------------------------------------------------------------------------------------------------------------------------
SecRule REQUEST_HEADERS:Content-Type “@contains application/msword" \
"id:110,\
phase:1,\
redirect:'http://mydomain/error.html',\
status:302,\
log,\
chain"
SecRule REQUEST_METHOD “^PUT$
------------------------------------------------------------------------------------------------------------------------------
Could you try that and post what you get in your audit.log with sensitive data redacted?
I’d also set "SecResponseBodyAccess Off" in the config file to save resources if you aren’t using it.
> On Jun 10, 2020, at 2:34 PM, Maik Linnemann <mai...@pr...> wrote:
>
> Hi,
>
> thanks. I dont use Core set or anomaly score. The only Goal is to have redirection to error Page when someone uploads (put) a msword file.
>
>> Am 10.06.2020 um 15:43 schrieb Steve Hambling <ham...@gm... <mailto:ham...@gm...>>:
>>
>> Hi Maik,
>> Are you using Core Rule Set and if so which version?
>> Are you using the default scoring method of “Anomaly Scoring Mode”?
>>
>> In Anomaly Scoring you have to change the default action at the very end of all the rules. So you need to set that in the file RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf
>> Make sure to remove the “.example” on that file. You will also want to check the example that is in there because the rule id# you use is going to be specific to your version of CRS.
>> Essentially, in the default Anomaly mode you have to update the action to the blocking rules that trigger once all the anomalies are added up. In the example below that is rules 949110 and 959100.
>> I also think that if you are redirecting you do not need to change the "status:302” as ModSecurity should default to that. But if you wanted a different HTML code you would put that in the rule id: 100 that I made below. Allowed codes for a redirect are: 301, 302, 303, or 307
>>
>>
>> Try adding this to RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf
>>
>> # Redirect to another URL on blocking
>> #
>> SecRuleUpdateActionById 949110 "t:none,redirect:'http://mydomain/error.html <http://mydomain/error.html>'"
>> SecRuleUpdateActionById 959100 "t:none,redirect:'http://mydomain/error.html <http://mydomain/error.html>'"
>>
>>
>> Then in REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf you would add:
>>
>> # Block all requests for application/msword
>> #
>> SecRule REQUEST_HEADERS:Content-Type “@contains application/msword" \
>> "id:100,\
>> phase:2,\
>> block,\
>> t:none,\
>> pass,\
>> log,\
>> chain’"
>> SecRule REQUEST_METHOD “^PUT$”
>>
>>
>> Then restart your web server.
>> The audit.log should show you how it processed so I’d check that after testing your rule.
>>
>>
>>
>>
>>
>>
>>
>>> On Jun 10, 2020, at 4:31 AM, Maik Linnemann <mai...@pr... <mailto:mai...@pr...>> wrote:
>>>
>>> Dear List,
>>>
>>> i have a rule:
>>>
>>> SecRule REQUEST_HEADERS:Content-Type "@contains application/msword" "chain,id:1,block,log,auditlog"
>>> SecRule REQUEST_METHOD "PUT"
>>>
>>> And i have a default Action:
>>>
>>> SecDefaultAction phase:1,status:302,redirect:/error.html,log,auditlog
>>>
>>> But the redirection never happens when i upload a word document. It is blocked but no redirection.
>>>
>>> The browser log says:
>>>
>>> PUT https://my.domain.com/error.html <https://my.domain.com/error.html> net::ERR_TOO_MANY_REDIRECTS jquery.js:8630
>>>
>>> I tried douzens of things, it never redirects. Can someone please help.
>>>
>>> Thanks,
>>>
>>> With kind of regards,
>>>
>>> Maik
>>> .::provIT::.
>>>
>>> Maik Linnemann
>>>
>>> Brahmsstrasse 4a
>>>
>>> 48291 Telgte
>>>
>>> +49 177 3251429
>>>
>>> mai...@pr... <mailto:mai...@pr...>_______________________________________________
>>> Mod-security-rules mailing list
>>> Mod...@li... <mailto:Mod...@li...>
>>> https://lists.sourceforge.net/lists/listinfo/mod-security-rules <https://lists.sourceforge.net/lists/listinfo/mod-security-rules>
>
> .::provIT::.
>
> Maik Linnemann
>
> Brahmsstrasse 4a
>
> 48291 Telgte
>
> +49 177 3251429
>
> mai...@pr... <mailto:mai...@pr...>
|
