|
From: CASTELLE T. <tca...@ge...> - 2005-11-24 14:14:42
|
Hi there, I just installed mod_security 1.9, and I have a problem with the SecFilterSignatureAction directive which might be a bug... Let's consider this conf (We want mod_security to work in "Log Only" mode) : SecFilterEngine On SecFilterScanPOST On SecFilterSelective REQUEST_METHOD "^POST$" chain SecFilterSelective HTTP_Content-Length "^$" SecFilterSelective HTTP_Transfer-Encoding "!^$" SecFilterDefaultAction "pass,log" SecFilterActionsRestricted On SecFilterCheckURLEncoding On SecFilterCheckUnicodeEncoding Off SecFilterForceByteRange 1 255 SecServerResponseToken Off SecAuditEngine RelevantOnly SecFilter 111 SecFilter 111 chain SecFilter 333 And let's consider these requests and the corresponding log entry : GET /111.html HTTP/1.1 => Log entry : Warning. Pattern match "111" at REQUEST_URI GET /333.html HTTP/1.1 => Log entry : nothing GET /111/333.html HTTP/1.1 => Log entry : Warning. Pattern match "111" at REQUEST_URI Warning. Pattern match "333" at REQUEST_URI Everything's fine here. But if I add an id to the rules, like : SecFilter 111 id:1 SecFilter 111 chain,id:2 SecFilter 333 Then, the warning becomes a deny because, as documented : " Per-rule actions are merged with the actions specified in the most recent SecFilterSignatureAction directive (the default value is log,deny,status:403)" So, I add the appropriate SecFilterSignatureAction like this : SecFilterSignatureAction "pass,log" SecFilter 111 id:1 SecFilter 111 chain,id:2 SecFilter 333 And then, the chain action seems to be ignored : GET /111.html HTTP/1.1 => Log entry : Warning. Pattern match "111" at REQUEST_URI [id "1"] Warning. Pattern match "111" at REQUEST_URI [id "2"] GET /333.html HTTP/1.1 => Log entry : nothing GET /111/333.html HTTP/1.1 => Log entry : Warning. Pattern match "111" at REQUEST_URI [id "1"] Warning. Pattern match "111" at REQUEST_URI [id "2"] This is resulting in *many* false positive warnings in the log... Can you solve this issue please, or tell me what's wrong in my config file ? Thank you very much for your help ! Regards, Thomas Castelle |
