You might want to try using a mod_rewrite rule for your redirect instead as ModSecurity rules can run before them.
Ryan On Jul 16, 2011, at 10:23 PM, "Michael Haas" <[email protected]<mailto:[email protected]>> wrote: Hi, is it normal that if a redirect is configured in apache that mod_security is not blocking according to it's rules? It logs the request but the Client is redirected. GET /..%5c../ HTTP/1.1 Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x-shockwave-flash, application/security-layer, application/security-capsule, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml+xml, */* Accept-Language: de-at,en-us;q=0.5 User-Agent: Mozilla/4.0 (compatible; MSIE......) Accept-Encoding: gzip, deflate Host: XXX.xxxx Connection: Keep-Alive --ac9b0025-F-- HTTP/1.1 302 Found Location: <https://XXX.xxxx/> https://XXX.xxxx/ Content-Length: 208 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1 --ac9b0025-H-- Message: Pattern match "(?:\x5c|(?:%(?:c(?:0%(?:9v|af)|1%1c)|2(?:5(?:2f|5c)|f)|u221[56]|1u|5c)|\/))(?:%(?:u2024|2e)|\.){2}(?:\x5c|(?:%(?:c(?:0%(?:9v|af)|1%1c)|2(?:5(?:2f|5c)|f)|u221[56]|1u|5c)|\/))" at REQUEST_FILENAME. [file "/test/modsecurity_crs/modsecurity_crs_15_exception.conf"] [line "19"] [id "1000"] [rev "2.1.2"] [msg "Path Traversal Attack"] [severity "CRITICAL"] Stopwatch: 1310867782439547 587 (- - -) Producer: ModSecurity for Apache/2.5.13 (<http://www.modsecurity.org/>http://www.modsecurity.org/); core ruleset/2.1.2.<http://2.1.2.> Server: Apache If i do this without redirect the Rule blocks with 403. Thats the Rule SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:1,rev:'2.1.2',t:none,ctl:auditLogParts=+E,block,msg:'Path Traversal Attack',id:'1000',severity:'2'" SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "(?:\x5c|(?:%(?:c(?:0%(?:9v|af)|1%1c)|2(?:5(?:2f|5c)|f)|u221[56]|1u|5c)|\/))(?:%(?:u2024|2e)|\.){2}(?:\x5c|(?:%(?:c(?:0%(?:9v|af)|1%1c)|2(?:5(?:2f|5c)|f)|u221[56]|1u|5c)|\/))" \ "t:none,t:lowercase,capture,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id<http://rule.id>}-WEB_ATTACK/DIR_TRAVERSAL-%{matched_var_name}=%{matched_var}'" Thanks in Advance Michael _______________________________________________ Owasp-modsecurity-core-rule-set mailing list [email protected]<mailto:[email protected]> https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set ________________________________ This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. _______________________________________________ Owasp-modsecurity-core-rule-set mailing list [email protected] https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
