mod-security-users Mailing List for ModSecurity (Page 548)

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Hi there,

I just installed mod_security 1.9, and I have a problem with the
SecFilterSignatureAction directive which might be a bug...

Let's consider this conf (We want mod_security to work in "Log Only"
mode) :

	SecFilterEngine On

	SecFilterScanPOST On

	SecFilterSelective REQUEST_METHOD "^POST$" chain
	SecFilterSelective HTTP_Content-Length "^$"

	SecFilterSelective HTTP_Transfer-Encoding "!^$"

	SecFilterDefaultAction "pass,log"

	SecFilterActionsRestricted On

	SecFilterCheckURLEncoding On

	SecFilterCheckUnicodeEncoding Off

	SecFilterForceByteRange 1 255

	SecServerResponseToken Off

	SecAuditEngine RelevantOnly

	SecFilter 111  

	SecFilter 111 chain
	SecFilter 333

And let's consider these requests and the corresponding log entry :

GET /111.html HTTP/1.1
=> Log entry : 
	Warning. Pattern match "111" at REQUEST_URI

GET /333.html HTTP/1.1
=> Log entry : 
	nothing

GET /111/333.html HTTP/1.1
=> Log entry : 
	Warning. Pattern match "111" at REQUEST_URI
	Warning. Pattern match "333" at REQUEST_URI

Everything's fine here.

But if I add an id to the rules, like :

	SecFilter 111 id:1

	SecFilter 111 chain,id:2
	SecFilter 333	

Then, the warning becomes a deny because, as documented : " Per-rule
actions are merged with the actions specified in the most recent
SecFilterSignatureAction directive (the default value is
log,deny,status:403)"

So, I add the appropriate SecFilterSignatureAction like this :

	SecFilterSignatureAction "pass,log"

	SecFilter 111 id:1

	SecFilter 111 chain,id:2
	SecFilter 333	

And then, the chain action seems to be ignored :

GET /111.html HTTP/1.1
=> Log entry : 
	Warning. Pattern match "111" at REQUEST_URI [id "1"]
	Warning. Pattern match "111" at REQUEST_URI [id "2"]

GET /333.html HTTP/1.1
=> Log entry : 
	nothing

GET /111/333.html HTTP/1.1
=> Log entry : 
	Warning. Pattern match "111" at REQUEST_URI [id "1"]
	Warning. Pattern match "111" at REQUEST_URI [id "2"]

This is resulting in *many* false positive warnings in the log...

Can you solve this issue please, or tell me what's wrong in my config
file ?

Thank you very much for your help !

Regards,

Thomas Castelle

2003	Jan	Feb	Mar	Apr	May	Jun (2)	Jul (17)	Aug (7)	Sep (8)	Oct (11)	Nov (14)	Dec (19)
2004	Jan (46)	Feb (14)	Mar (20)	Apr (48)	May (15)	Jun (20)	Jul (36)	Aug (24)	Sep (31)	Oct (28)	Nov (23)	Dec (12)
2005	Jan (69)	Feb (61)	Mar (82)	Apr (53)	May (26)	Jun (71)	Jul (27)	Aug (52)	Sep (28)	Oct (49)	Nov (104)	Dec (74)
2006	Jan (61)	Feb (148)	Mar (82)	Apr (139)	May (65)	Jun (116)	Jul (92)	Aug (101)	Sep (84)	Oct (103)	Nov (174)	Dec (102)
2007	Jan (166)	Feb (161)	Mar (181)	Apr (152)	May (192)	Jun (250)	Jul (127)	Aug (165)	Sep (97)	Oct (135)	Nov (206)	Dec (56)
2008	Jan (160)	Feb (135)	Mar (98)	Apr (89)	May (115)	Jun (95)	Jul (188)	Aug (167)	Sep (153)	Oct (84)	Nov (82)	Dec (85)
2009	Jan (139)	Feb (133)	Mar (128)	Apr (105)	May (135)	Jun (79)	Jul (92)	Aug (134)	Sep (73)	Oct (112)	Nov (159)	Dec (80)
2010	Jan (100)	Feb (116)	Mar (130)	Apr (59)	May (88)	Jun (59)	Jul (69)	Aug (67)	Sep (82)	Oct (76)	Nov (59)	Dec (34)
2011	Jan (84)	Feb (74)	Mar (81)	Apr (94)	May (188)	Jun (72)	Jul (118)	Aug (109)	Sep (111)	Oct (80)	Nov (51)	Dec (44)
2012	Jan (80)	Feb (123)	Mar (46)	Apr (12)	May (40)	Jun (62)	Jul (95)	Aug (66)	Sep (65)	Oct (53)	Nov (42)	Dec (60)
2013	Jan (96)	Feb (96)	Mar (108)	Apr (72)	May (115)	Jun (111)	Jul (114)	Aug (87)	Sep (93)	Oct (97)	Nov (104)	Dec (82)
2014	Jan (96)	Feb (77)	Mar (71)	Apr (40)	May (48)	Jun (78)	Jul (54)	Aug (44)	Sep (58)	Oct (79)	Nov (51)	Dec (52)
2015	Jan (55)	Feb (59)	Mar (48)	Apr (40)	May (45)	Jun (63)	Jul (36)	Aug (49)	Sep (35)	Oct (58)	Nov (21)	Dec (47)
2016	Jan (35)	Feb (81)	Mar (43)	Apr (41)	May (77)	Jun (52)	Jul (39)	Aug (34)	Sep (107)	Oct (67)	Nov (54)	Dec (20)
2017	Jan (99)	Feb (37)	Mar (86)	Apr (47)	May (57)	Jun (55)	Jul (34)	Aug (31)	Sep (16)	Oct (49)	Nov (53)	Dec (33)
2018	Jan (25)	Feb (11)	Mar (79)	Apr (77)	May (5)	Jun (19)	Jul (17)	Aug (7)	Sep (13)	Oct (22)	Nov (13)	Dec (68)
2019	Jan (44)	Feb (17)	Mar (40)	Apr (39)	May (18)	Jun (14)	Jul (20)	Aug (31)	Sep (11)	Oct (35)	Nov (3)	Dec (10)
2020	Jan (32)	Feb (16)	Mar (10)	Apr (22)	May (2)	Jun (34)	Jul (1)	Aug (8)	Sep (36)	Oct (16)	Nov (13)	Dec (10)
2021	Jan (16)	Feb (23)	Mar (45)	Apr (28)	May (6)	Jun (17)	Jul (8)	Aug (1)	Sep (2)	Oct (35)	Nov	Dec (5)
2022	Jan	Feb (17)	Mar (23)	Apr (23)	May (9)	Jun (8)	Jul	Aug	Sep (7)	Oct (5)	Nov (16)	Dec (4)
2023	Jan	Feb	Mar (3)	Apr	May (1)	Jun (4)	Jul (1)	Aug	Sep (2)	Oct (1)	Nov	Dec
2024	Jan (7)	Feb (13)	Mar (18)	Apr	May	Jun	Jul	Aug	Sep (2)	Oct (1)	Nov (5)	Dec (3)
2025	Jan	Feb	Mar	Apr (12)	May (12)	Jun (2)	Jul (3)	Aug	Sep	Oct	Nov	Dec

mod-security-users Mailing List for ModSecurity (Page 548)

mod-security-users — General discussion about mod_security