Re: [mod-security-users] Need help understanding rule activity
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] Need help understanding rule activity
|
From: Ivan R. <iv...@we...> - 2005-06-21 08:31:25
|
Peter Loron wrote: > Hi! I've got mod_security 1.8.7 installed against Apache 2.0.46, CentOS > 3.4. I've got some rules (mostly gotroot.com) installed. I noted after > installation that the audit log shows mod_security catching an attack > (see below for log snippet). The attempt in question was against a > phpBB site which was currently not set up: a non-attack request to the > same viewtopic.php would yield a 404. > > When the same attack is run against an active phpBB site (non-attack > request would show the proper topic), I get the properly displayed > topic and no record in the audit log. > > It seems very odd to me that the presence or absence of a target for > the request (viewtopic.php in this case) would matter...I was under the > impression that mod_security processed requests before it ever made it > down to the page serving part of Apache. It does. But there are modules that run before mod_security, they may interfere by changing the request in some way. > Can anybody point me to some documentation so I can straighten myself > out? Thanks. The best way to proceed is to set the debug log to 9, and perform an attack in both cases, with and without PHPBB installed. > Handler: type-map This may be a clue. For what purpose are you using mod_negotiate? Try turning it off. -- Ivan Ristic Apache Security (O'Reilly) - http://www.apachesecurity.net Open source web application firewall - http://www.modsecurity.org |
