[mod-security-users] Filter question

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Hi, I am semi-new (just over a week) user to mod_security, having
installed it when a bad PHP script on our web server was used to spam
hundreds of AOL users.  It's done a fine job of blocking further attempts
to abuse PHP.

The script that the attackers used was called contactus.php and they used
SMTP header injection to do the spam.  I noticed that when I first
installed mod_security, it blocked a lot of attempts, but I have seen very
little activity in the audit log since.  But the Apache log shows that the
script is still being called.  So I decided to log all calls to
contactus.php to see what was happening.  I'm running mod_security 1.9.2
under Apache 1.3.34 and here is the complete config:

<ifModule mod_security.c>
    # Turn the filtering engine On or Off
    SecFilterEngine On

    # Make sure that URL encoding is valid
    SecFilterCheckURLEncoding On

    # Unicode encoding check
    SecFilterCheckUnicodeEncoding Off

    # Only allow bytes from this range
    SecFilterForceByteRange 0 255

    # Only log suspicious requests
    SecAuditEngine RelevantOnly

    # The name of the audit log file
    SecAuditLog logs/audit_log
    # Debug level set to a minimum
    SecFilterDebugLog logs/modsec_debug_log
    SecFilterDebugLevel 0

    # Should mod_security inspect POST payloads
    SecFilterScanPOST On

    # By default log and deny suspicious requests
    # with HTTP status 500
    SecFilterDefaultAction "deny,log,status:500"
#
# rules
#
# filter out SMTP injection attempts to exploit badly-written PHP scripts
# skip the check if the script is formmail.pl

SecFilterSelective SCRIPT_FILENAME "formmail\.pl" skip
SecFilterSelective ARGS_VALUES "\n[[:space:]]*(to|bcc|cc)[[:space:]]*:.*@"
SecFilterSelective SCRIPT_FILENAME "contactus\.php" "auditlog,pass"

</IfModule>

I added the third rule this morning to try and log calls to contactus.php
that do not get blocked by the second rule.  Here is a log entry:

==00004f90==============================
Request: lib.uah.edu 211.220.247.254 - - [23/Feb/2006:09:49:32 -0600]
"POST /contactus.php HTTP/1.1" 200 16163 "http://lib.uah.edu/" "-" - "-"
----------------------------------------
POST /contactus.php HTTP/1.1
Connection: Keep-Alive, Close
Content-Length: 773
Content-Type: application/x-www-form-urlencoded
Host: lib.uah.edu
Referer: http://lib.uah.edu/
mod_security-message: Warning. Pattern match "contactus\\.php" at
SCRIPT_FILENAME

773
esh_formmail_recipient=where7087%40lib.uah.edu&esh_formmail_cc=th%0D%0AContent-Type%3A+multipart%2Falternative%3B+boundary%3D1bcca4044c1101318a576bbebb0fdef3%0AMIME-Version%3A+1.0%0ASubject%3A+whose+rank+they+can+borrow%0Abcc%3A+StarlaK8099%40aol.com%0A%0AThis+is+a+multi-part+message+in+MIME+format.%0A%0A--1bcca4044c1101318a576bbebb0fdef3%0AContent-Type%3A+text%2Fplain%3B+charset%3D%22us-ascii%22%0AMIME-Version%3A+1.0%0AContent-Transfer-Encoding%3A+7bit%0A%0Adance+and+she+fell+dead+to+the+earth+uthor+s+ote+n+hiele+s+anish+opular+radition+it+is+related+that+she+was+one+argrethe+kofgaard%0A--1bcca4044c1101318a576bbebb0fdef3--%0A%0D%0A.%0D%0A&formmail_submit=where7087%40lib.uah.edu&esh_formmail_bcc=where7087%40lib.uah.edu&esh_formmail_subject=where7087%40lib.uah.edu

HTTP/1.1 200 OK
X-Powered-By: PHP/4.3.4
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html
--00004f90--

Note that part of the request reads, "%0Abcc%3A+StarlaK8099%40aol.com", so
why didn't the second rule block the request?  Not sure what I'm doing
wrong here.  Thanks...

Jim McCullars
University of Alabama in Huntsville