[mod-security-users] Need help understanding rule activity
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
[mod-security-users] Need help understanding rule activity
|
From: Peter L. <pe...@st...> - 2005-06-21 07:19:19
|
Hi! I've got mod_security 1.8.7 installed against Apache 2.0.46, CentOS 3.4. I've got some rules (mostly gotroot.com) installed. I noted after installation that the audit log shows mod_security catching an attack (see below for log snippet). The attempt in question was against a phpBB site which was currently not set up: a non-attack request to the same viewtopic.php would yield a 404. When the same attack is run against an active phpBB site (non-attack request would show the proper topic), I get the properly displayed topic and no record in the audit log. It seems very odd to me that the presence or absence of a target for the request (viewtopic.php in this case) would matter...I was under the impression that mod_security processed requests before it ever made it down to the page serving part of Apache. Can anybody point me to some documentation so I can straighten myself out? Thanks. -Pete ======================================== UNIQUE_ID: qpuNOX8AAAEAACdDPfIAAAAH Request: 66.45.252.82 - - [17/Jun/2005:22:49:31 --0700] "GET / viewtopic.php?t=20 746&highlight=%2527%252Esystem(chr(112)%252Echr(101)%252Echr(114)% 252Echr(108)%2 52Echr(32)%252Echr(45)%252Echr(101)%252Echr(32)%252Echr(34)%252Echr (112)%252Echr (114)%252Echr(105)%252Echr(110)%252Echr(116)%252Echr(32)%252Echr(113)% 252Echr(40 )%252Echr(106)%252Echr(83)%252Echr(86)%252Echr(111)%252Echr(119)% 252Echr(77)%252 Echr(115)%252Echr(100)%252Echr(41)%252Echr(34))%252E%2527 HTTP/1.0" 403 0 Handler: type-map ---------------------------------------- GET /viewtopic.php?t=20746&highlight=%2527%252Esystem(chr(112)%252Echr (101)%252E chr(114)%252Echr(108)%252Echr(32)%252Echr(45)%252Echr(101)%252Echr (32)%252Echr(3 4)%252Echr(112)%252Echr(114)%252Echr(105)%252Echr(110)%252Echr(116)% 252Echr(32)% 252Echr(113)%252Echr(40)%252Echr(106)%252Echr(83)%252Echr(86)%252Echr (111)%252Ec hr(119)%252Echr(77)%252Echr(115)%252Echr(100)%252Echr(41)%252Echr(34)) %252E%2527 HTTP/1.0 Host: <withheld> Accept: */* User-Agent: Mozilla/4.0 mod_security-message: Access denied with code 403. Pattern match "(system|exec|p assthru|cmd|fopen|exit|fwrite)" at THE_REQUEST mod_security-action: 403 HTTP/1.0 Content-Length: 412 Connection: close Content-Type: text/html; charset=iso-8859-1 ======================================== |
