Hi Byan, It's ok now, thanks so much, I'll look into more configuration and learn about it.
Regards, Haifeng ----- Original Message ----- From: "Ryan Barnett" <[email protected]> To: "Haifeng Li" <[email protected]> Cc: <[email protected]> Sent: Monday, April 18, 2011 11:17 AM Subject: Re: [Owasp-modsecurity-core-rule-set] help: Modsecurity 'ARGS' rules match 'GET' request but can't match 'POST' request You need to use SecRequestBodyAccess On. I suggest you use this recommended base config - http://sourceforge.net/apps/mediawiki/mod-security/index.php?title=Reference_Manual#A_Recommended_Base_Configuration Ryan On Apr 17, 2011, at 9:28 PM, "Haifeng Li" <[email protected]> wrote: > Hi All, > > I'm a jackaroo of Modsecurity, and very interested in Modsecurity Core Rule > set. > > I am learning about CRS now, I downloaded the modsecurity CRS and investigate > it. > But I found that my 'ARGS' rules only match 'GET' request but can't match > 'POST' request. > > I downloaded latest rule set package and modsecurity engine, only update > following several configuration from downloaded package. > > SecDataDir /tmp > SecTmpDir /tmp > SecRuleEngine On > SecDefaultAction "phase:2,deny,log" > > And I add a self rule file 'modsecurity_crs_15_customrules.conf' in > 'base_rules' directory, > it only contain below 2 rules. > > SecRule ARGS "bruce" "phase:2,deny,t:none,t:lowercase,t:urlDecode,msg:'the > attack what ARGS contain Bruce',setvar:'tx.msg=%{rule.msg}'" > SecRule ARGS_POST "bruce" > "phase:2,deny,t:none,t:lowercase,t:urlDecode,msg:'the attack what ARGS_POST > contain Bruce',setvar:'tx.msg=%{rule.msg}'" > > I tested it on web interface 'http://192.168.1.135/app.php?name=Bruce' > (modsecurity and httpd installed on this pc, app.php in attachment, a "name" > text input area in a form) > Browser show: > Forbidden > You don't have permission to access /app.php on this server. > > > -------------------------------------------------------------------------------- > > Apache/2.2.3 (Red Hat) Server at 172.22.14.149 Port 80 > > And the http log is: > ModSecurity: Access denied with code 403 (phase 2). Pattern match "bruce" at > ARGS:name. [file > "/etc/httpd/modsecurity_crs/base_rules/modsecurity_crs_15_customrules.conf"] > [line "3"] [msg "the attack what ARGS contain Bruce"] [hostname > "172.22.14.149"] [uri "/app.php"] [unique_id "nOrQFX8AAAEAACpHFRMAAAAC"] > > But if I input "Bruce" on on web interface 'http://192.168.1.135/app.php";, > and click button "submit", the browser redirect "next.php" successful, > obviously, the rules are invalid when execute POST request. > > Who can help me for this? > > > Thanks and regards, > > <app.php> > <next.php> > _______________________________________________ > Owasp-modsecurity-core-rule-set mailing list > [email protected] > https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set _______________________________________________ Owasp-modsecurity-core-rule-set mailing list [email protected] https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
