Thread: [mod-security-users] mod_security status 200

Brought to you by: victorhora, zimmerletw

mod-security-users

[mod-security-users] mod_security status 200

From: Peter VE <xx...@im...> - 2005-11-04 09:53:55

Hi,

I would like to set up my Apache 2.0.55 (with mod_security 1.8.7) to
return a 200 OK for every single request that is made to a non-existing
page.
How can I do this ?
(or do I need to use mod_rewrite for this)

thanks

P

Re: [mod-security-users] mod_security status 200

From: Ryan B. <rcb...@gm...> - 2005-11-04 12:08:32

Are you just interested in fooling scanners? If so, then you can trap
outbound 404 html data with mod_security's output filter like this -
 SecFilterSelective OUTOUT "The requested file you request does not exist"
status:200
 You need to trigger on the html text of your 404 pages rather then HTTP
Status code line as the output filter does not capture that data. I believe
that Ivan is implementing a new directive to allow you to trap outbound
status codes.
 Keep in mind, however that while this will change the status code to 200,
the html text that will be displayed will not of much help to real users wh=
o
have requested a non-existent page. For example, with my Apache setup this
is what is returned -

HTTP/1.1 200 OK
Date: Fri, 04 Nov 2005 12:07:24 GMT
Server: Microsoft-IIS/5.0
Content-Length: 497
Connection: close
Content-Type: text/html; charset=3Diso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>200 OK</title>
</head><body>
<h1>OK</h1>
<p>The server encountered an internal error or
misconfiguration and was unable to complete
your request.</p>
<p>Please contact the server administrator,
yo...@ex... and inform them of the time the error occurred,
and anything you might have done that may have
caused the error.</p>
<p>More information about this error may be available
in the server error log.</p>
</body></html>
Connection closed by foreign host.
-Ryan

 On 11/4/05, Peter VE <xx...@im...> wrote:
>
> Hi,
>
> I would like to set up my Apache 2.0.55 (with mod_security 1.8.7) to
> return a 200 OK for every single request that is made to a non-existing
> page.
> How can I do this ?
> (or do I need to use mod_rewrite for this)
>
> thanks
>
> P
>
>
>
>
> -------------------------------------------------------
> SF.Net email is sponsored by:
> Tame your development challenges with Apache's Geronimo App Server.
> Download
> it for free - -and be entered to win a 42" plasma tv or your very own
> Sony(tm)PSP. Click here to play: http://sourceforge.net/geronimo.php
> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
>



--
Ryan C. Barnett
Web Application Security Consortium (WASC) Member
CIS Apache Benchmark Project Lead
SANS Instructor: Securing Apache
GCIA, GCFA, GCIH, GSNA, GCUX, GSEC
Author: Preventing Web Attacks with Apache