Re: [mod-security-users] secRuleRemoveById not working
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] secRuleRemoveById not working
|
From: Ofer S. <OferS@Breach.com> - 2006-11-28 13:49:01
|
=20 I'm glad that you find the solution, just to highlight the issue for others: =20 >From version 2.0.4, ModSecurity requires a phase in the SetDefaultAction directive. We felt that without a phase the action list is not well defined. =20 ~ Ofer =20 ________________________________ From: Dan Rossi [mailto:sp...@el...]=20 Sent: Monday, November 27, 2006 4:17 AM To: Ofer Shezaf Cc: mod...@li... Subject: Re: [mod-security-users] secRuleRemoveById not working =20 I also just got an error on our freebsd 5.4 machine running apache 2.0.55 which we dont get on our freebsd 6.1 machine running apache 2.0.59 Syntax error on line 93 of /www/apache/conf/extra/mod_security/default/config.conf: ModSecurity: SecDefaultAction must specify a phase. confirming this is correct=20 SecDefaultAction "log,pass,status:500" i changed it to SecDefaultAction "log,pass,phase:1,status:500" Ofer Shezaf wrote:=20 =20 I assume you meant 50107 (as there is no 50108 in the core rule set). Now to further understand: =20 - Do you mean that the request was not blocked by still logged to the audit log? - Was it logged to the Apache error log? - Can you send the relevant audit log record? It will help us to understand where the problem is. =20 Thanks ~ Ofer =20 ________________________________ From: Dan Rossi [mailto:sp...@el...]=20 Sent: Monday, November 27, 2006 12:47 AM To: Ofer Shezaf Cc: mod...@li... Subject: Re: [mod-security-users] secRuleRemoveById not working =20 Hi setting it to phase:2 works, however it still gets logged into the auditlog ! How do i stop it from being logged even after i removed the rule by doing this <LocationMatch "/signup"> SecRuleRemoveById 50108 </LocationMatch>=20 Ofer Shezaf wrote:=20 =20 Rule 50107 executes in phase 1. Apache Location and LocationMatch tag are not evaluated yet during this phase, so you cannot use it to bypass this rule. Currently your base choice is to move rule 50107 to phase 2. =20 Actually I think that in future releases of the rule set I may delay most rules to phase 2 for that reason until we find a way to use Location in phase 1. =20 As for logs: the rule set by default output events to both Apache error log and ModSecurity audit log. The ModSecurity console uses the audit log, which is also has more details, but different SIM solutions work out of the box with Apache error log. I would love to hear more input on that. =20 ~ Ofer =20 =20 =20 =20 |