Re: [mod-security-users] mod_security + webmail + body message

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Ryan Barnett wrote:
> Tomas - Welcome to my world :)  I have been using Apache/Mod_Security as
> a reverse proxy for Microsoft's Outlook Web Access and have run this
> same issue.  We you are dealing with webmail apps, it gets infinitely
> more difficult to fine tune your filters.  This is due in most part from
> the concept of mixing HTTP and SMTP.  We just have no way to forecast
> "expcected behavior" for what people will write in the body of their
> emails.
>  
> With that being said, you can try some of the following -
>  
> 1) Turn off PostPayload scanning.
> This would certainly stop these errors, but then you would also not be
> monitoring a key area where attackers target.
>  
> 2) Use SecFilterSelective instead of SecFilter
> SecFilter is too broad.  SecFilterSelective will allow you to focus your
> search to specific request locations.  The best locations to look for
> attacks (exluding the post payload) are THE_REQUEST, QUERY_STRING or
> choose some specific headers such as COOKIE_VAULES.  So, an updated
> filter would look like this -
>  
> SecFilterSelective "THE_REQUEST|COOKIE_VALUES" "/bin/chmod"

  Just a small correction: here you really want to use COOKIES_VALUES,
  because COOKIE_VALUES would only look in a cookie named "values".
  COOKIES_VALUES (with an "S") examines all cookies present in a
  request.

-- 
Ivan Ristic
Apache Security (O'Reilly) - http://www.apachesecurity.net
Open source web application firewall - http://www.modsecurity.org