Re: [mod-security-users] detection-only mode at 1.9.5 ?
Brought to you by:
victorhora,
zimmerletw
From: Monty R. <chu...@ho...> - 2007-06-23 15:02:41
|
So sorry for my not understanding what you said. >As you mentioned, you can simulate this functionality be using the pass action > however that is on a per rule basis (unless you use it in SecFilterDefaultAction). ==> I have setup SecFilterDefaultAction "pass,log". If I set "pass,log" to all filter rules, what's the meaning of SecFilterDefaultAction ? and this SecFilterDefaultAction has no effect for detection only? Thanks for your answer again. >From: "Ryan Barnett" <Ryan.Barnett@Breach.com> >To: <chu...@ho...>,<mod...@li...> >Subject: Re: [mod-security-users] detection-only mode at 1.9.5 ? >Date: Fri, 22 Jun 2007 19:27:00 -0400 > >The difference is that in Mod 1.x, there was no DetectionOnly mode for the rule engine. As you mentioned, you can simulate this functionality be using the pass action however that is on a per rule basis (unless you use it in SecFilterDefaultAction). > >The main reason that the DetectionOnly SecRuleEngine directive option was created in 2.x was to make it easier to switch between detection and blocking modes. > >The methods you outlined below will work. > >Thanks, >Ryan C. Barnett > >----- Original Message ----- >From: Monty Ree <chu...@ho...> >To: Ryan Barnett; mod...@li... <mod...@li...> >Sent: Fri Jun 22 18:44:11 2007 >Subject: RE: [mod-security-users] detection-only mode at 1.9.5 ? > >Thanks for your answer Ryan Barnett. > >But I have some questions about your answer. > >You said "ModSecurity 1.X does not have a Detection-Only mode of operation >for the SecFilterEngine directive. " > >But I have though that "SecFilterDefaultAction "pass,log" means >Detection-Only. >Why this directive is not Detection-Only? > >If then should I set all "pass,log" at all filter rule just to >detection-only? > >I need detection-only function to customize the rules before I apply to my >web service. > > >Thanks for your time... > > > > > > >From: "Ryan Barnett" <Ryan.Barnett@Breach.com> > >To: "Monty Ree" ><chu...@ho...>,<mod...@li...> > >Subject: RE: [mod-security-users] detection-only mode at 1.9.5 ? > >Date: Fri, 22 Jun 2007 12:50:51 -0400 > > > >ModSecurity 1.X does not have a Detection-Only mode of operation for the >SecFilterEngine directive. This means that your only course of action is >to change the actual action associated with that specific PHP Injection >Attack rules. Instead of using the deny action, change it to pass. > > > >One thing to consider, however, before changing the action. Are you 100% >sure that this is a false positive or that you don't want to block these >requests? It looks as though this rule is protecting against clients >executing a remote file include attack. What are the normal values for the >"url" argument? Does it include a full URL? Normally, these are >referencing local files. > > > >-- > >Ryan C. Barnett > >ModSecurity Community Manager > >Breach Security: Director of Application Security Training > >Web Application Security Consortium (WASC) Member > >CIS Apache Benchmark Project Lead > >SANS Instructor, GCIA, GCFA, GCIH, GSNA, GCUX, GSEC > >Author: Preventing Web Attacks with Apache > > > > > > > > > -----Original Message----- > > > From: mod...@li... [mailto:mod- > > > sec...@li...] On Behalf Of Monty Ree > > > Sent: Friday, June 22, 2007 12:23 PM > > > To: mod...@li... > > > Subject: [mod-security-users] detection-only mode at 1.9.5 ? > > > > > > Hello, all. > > > > > > I have setup modsecurity like below. > > > apache 1.3 + modsecurity 1.9.5 > > > > > > SecFilterEngine On > > > SecFilterDefaultAction "pass,log" > > > SecAuditEngine RelevantOnly > > > SecAuditLog logs/modsec_audit.log > > > SecFilterCheckURLEncoding Off > > > > > > but,sometimes later I can see lots of messages like below. > > > > > > mod_security-message: Access denied with code 403. Pattern match >"^http:/" > > > at ARGS_VALUES("url") [msg "PHP Injection Attacks"] [severity >"EMERGENCY"] > > > mod_security-action: 403 > > > > > > In fact, above connection is filtered. > > > But I would like to use just detection-only mode. > > > So what should I do to use detection-only mode? > > > > > > Thanks for your time.. > > > > > > _________________________________________________________________ > > > ?怨???④? ??硫 ??ㅼ MSN Hotmail??留 蹂댁 ?? > > > http://www.hotmail.com/ > > > > > > > > > >------------------------------------------------------------------------- > > > This SF.net email is sponsored by DB2 Express > > > Download DB2 Express C - the FREE version of DB2 express and take > > > control of your XML. No limits. Just data. Click to get it now. > > > http://sourceforge.net/powerbar/db2/ > > > _______________________________________________ > > > mod-security-users mailing list > > > mod...@li... > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > >_________________________________________________________________ >MSN Messenger瑜??듯 ?⑤?몄??? 移뎄??? ??몄. >http://www.msn.co.kr/messenger > _________________________________________________________________ 지금 가까이 있는 싱글들을 찾아 보세요! http://match.kr.msn.com/channel/index.aspx?trackingid=1002127 |