[mod-security-users] SecDefaultAction behavior and per-rule actions syntax...

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Hi All,Forgive the newbie questions....I'm finding the documentation and la=
ck of examples on ACTION syntax quite confusing....I'd be grateful for any =
thoughts/links on the following two related questions:Question1------------=
---------------------------------------------------------------------Many "=
actions" can be strung together in comma delimited strings: is there any po=
sitional significance in these actions strings or resolution strategy for a=
ctions that contradict each other ?----------------------------------------=
-----------------------------------------For example - here are two rules:>=
> SecRule REQUEST_HEADERS:User-Agent "Test" allow,nolog>> SecRule REMOTE_AD=
DR "^192\.168\.1\.100$" auditlog,phase:1,allowThe first rule specified acti=
on:       "allow,nolog"The second rule specified action:  "auditlog,phase:1=
,allow"can the "allow" action appear anywhere in the string ?if a "phase" i=
s not specified - what does it default to ?Question2-----------------------=
----------------------------------------------------------It's not clear to=
 me - does the SecDefaultAction directive - override the actions specified =
in following SecRules ?----------------------------------------------------=
-----------------------------For example - if I use the following global "l=
og and pass" security policy.>> SecDefaultAction "phase:2,log,pass,status:5=
00"would this override a "deny" specified in a SecRule that follows - like =
this:>> SecRule REQUEST_HEADERS:Host "^[\d\.]+$" "deny,log,auditlog,status:=
400,msg:'Host header is a numeric IP address', severity:'2',,id:'960017',"O=
R - is the SecDefaultAction directive only good for SecRules that have not =
specified ANY action ?The core_rules comments seem to indicate SecDefaultAc=
tion can override following SecRule actions...From the documentation.....>>=
#.....You can also leave the>># default setting here as is, but use per rul=
e action configuration>># to only configure some rules to reject requests, =
leaving most>># of them to work in detection mode.Well - where can we find =
an example of this ?I'm trying to use the "ctl:????" action to force this r=
ule to deny in my custom *.conf file: modsecurity_crs_60_customrules.confbu=
t there isn't any ctl:defaultAction configuration option ?Should I just do =
the following (where ip xxx.xxx.xxx.xxx is some numeric IP I want to allow.=
..):SecRuleRemoveById 960017SecDefaultAction "phase:2,log,deny,status:500"S=
ecRule REQUEST_HEADERS:Host "!^(xxx.xxx.xxx.xxx)$" "deny,log,auditlog,statu=
s:400,msg:'Host header is a numeric IP address', severity:'2',,id:'1000',"S=
ecDefaultAction "phase:2,log,pass,status:500"Any thoughts appreciated....Th=
anksFrank
_________________________________________________________________
Connect to the next generation of MSN Messenger=A0
http://imagine-msn.com/messenger/launch80/default.aspx?locale=3Den-us&sourc=
e=3Dwlmailtagline=