mod-security-users

[mod-security-users] Logging server response

[Todor P. <pet...@gm...>]

Hello,

I am trying to set up modsecurity 2.9.2 to log requests/response on
Apache 2.4.6. My config is https://pastebin.com/wAZJwecy. When there
is mod_rewrite rule to forward to index.php, it does not log the
response, even if I open directly http://server/index.php instead of
http://server. If I remove the
mod_rewrite lines from .htaccess, the logging is fine. Has anyone run
into such scenario?


Regards

Re: [mod-security-users] Logging server response

[Christian F. <chr...@ne...>]

Todor,

Your pastebin is now gone, but it feels as if your RewriteRule would ahve
apache stop all further execution of the request. This bypasses ModSec
and immediately sends out the response. This is also the case when you
encounter a local 404 as an example.

Best,

Christian

On Thu, Oct 18, 2018 at 05:40:25PM +0300, Todor Petkov wrote:
> Hello,
> 
> I am trying to set up modsecurity 2.9.2 to log requests/response on
> Apache 2.4.6. My config is https://pastebin.com/wAZJwecy. When there
> is mod_rewrite rule to forward to index.php, it does not log the
> response, even if I open directly http://server/index.php instead of
> http://server. If I remove the
> mod_rewrite lines from .htaccess, the logging is fine. Has anyone run
> into such scenario?
> 
> 
> Regards
> 
> 
> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> http://www.modsecurity.org/projects/commercial/rules/
> http://www.modsecurity.org/projects/commercial/support/

Re: [mod-security-users] Logging server response

[Todor P. <pet...@gm...>]

On Thu, Oct 18, 2018 at 9:00 PM Christian Folini
<chr...@ne...> wrote:
>
> Todor,
>
> Your pastebin is now gone, but it feels as if your RewriteRule would ahve
> apache stop all further execution of the request. This bypasses ModSec
> and immediately sends out the response. This is also the case when you
> encounter a local 404 as an example.


Hello,

this is the new pastebin https://pastebin.com/PxAPdH4b

I came upon this issue on github
https://github.com/SpiderLabs/ModSecurity/issues/185 but I could not
find anything useful there. Also, the response is "200".

htaccess is:
RewriteEngine on
RewriteRule (.*) index.php [L]


Thanks in advance

Re: [mod-security-users] Logging server response

[Christian F. <chr...@ne...>]

Hey Todor,

Hmm, my initial thought was wrong. Your Rewrite Rule should not be any
problem.

What does your DebugLog say? Can you do a rule in phase 4 that displays
RESPONSE_BODY in an alert message? Do you see it?

Best,

Christian

On Fri, Oct 19, 2018 at 10:39:21AM +0300, Todor Petkov wrote:
> On Thu, Oct 18, 2018 at 9:00 PM Christian Folini
> <chr...@ne...> wrote:
> >
> > Todor,
> >
> > Your pastebin is now gone, but it feels as if your RewriteRule would ahve
> > apache stop all further execution of the request. This bypasses ModSec
> > and immediately sends out the response. This is also the case when you
> > encounter a local 404 as an example.
> 
> 
> Hello,
> 
> this is the new pastebin https://pastebin.com/PxAPdH4b
> 
> I came upon this issue on github
> https://github.com/SpiderLabs/ModSecurity/issues/185 but I could not
> find anything useful there. Also, the response is "200".
> 
> htaccess is:
> RewriteEngine on
> RewriteRule (.*) index.php [L]
> 
> 
> Thanks in advance
> 
> 
> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> http://www.modsecurity.org/projects/commercial/rules/
> http://www.modsecurity.org/projects/commercial/support/