The SecRuleEngine variable is set to DetectionOnly. I guess that makes sense if it only detecting but wish it had been documented a bit more. Thank you for the help and quick response.
David B. Sinclair Security Manager Email: [email protected] -----Original Message----- From: Ryan Barnett [mailto:[email protected]] Sent: Tuesday, August 09, 2011 4:41 PM To: David Sinclair; [email protected] Subject: Re: [Owasp-modsecurity-core-rule-set] allow:request What is your SecRuleEngine set to? If it is DetectionOnly then it will not execute allow actions as they are considered disruptive. If this is the case, then you can add "ctl:ruleEngine=On" to your rule to trigger the allow. Remember though, that this has now enabled blocking mode for this transaction which means that any phase 3 and 4 rules may trigger blocks. If you don't want that, then you should add another phase:3 rule to your custom rules file to "ctl:ruleEngine=DetectionOnly". -Ryan From: David Sinclair <[email protected]<mailto:[email protected]>> Date: Tue, 9 Aug 2011 16:37:12 -0500 To: "[email protected]<mailto:owasp-modsecurity- [email protected]>" <[email protected]<mailto:owasp-modsecurity- [email protected]>> Subject: [Owasp-modsecurity-core-rule-set] allow:request I am rather new to modsecurity rules and am having trouble understanding the functionality of allow:request. From this debug logsnippet, I have written a custom rule, modsecurity_crs_15_custom_rules.conf, that is designed to allow the GET of a .dtd and skip the remainder of request phase processing with allow:request. However, this log shows that the processing of the rules in the request phases continues with crs_20 that I am trying to avoid. Is there something that I have missed? Warning. Operator EQ matched 0 at TX. [file "/etc/httpd/conf/modsecurity_crs/modsecurity_crs_10_config.conf"] [line "309"] [id "98 Rule returned 1. Match -> mode NEXT_RULE. Recipe: Invoking rule 2ad8c7cf62e0; [file "/etc/httpd/conf/modsecurity_crs/base_rules/modsecurity_crs_15_custom_rule s.conf"] [line Rule 2ad8c7cf62e0: SecRule "REQUEST_METHOD" "@rx ^GET$" "phase:1,chain,nolog,t:none,severity:6,rev:1.0.0,allow:request,msg:'Allow Transformation completed in 1 usec. Executing operator "rx" with param "^GET$" against REQUEST_METHOD. Target value: "GET" Operator completed in 2 usec. Rule returned 1. Match -> mode NEXT_RULE. Recipe: Invoking rule 2ad8c7cf6ea0; [file "/etc/httpd/conf/modsecurity_crs/base_rules/modsecurity_crs_15_custom_rule s.conf"] [line Rule 2ad8c7cf6ea0: SecRule "REQUEST_FILENAME" "@rx ^/dtd/.*[.]dtd$" "t:none" Transformation completed in 1 usec. Executing operator "rx" with param "^/dtd/.*[.]dtd$" against REQUEST_FILENAME. Target value: "/dtd/BCSSRequest-v1.1.dtd" Operator completed in 3 usec. Warning. Pattern match "^/dtd/.*[.]dtd$" at REQUEST_FILENAME. [file "/etc/httpd/conf/modsecurity_crs/base_rules/modsecurity_crs_15 Rule returned 1. Match -> mode NEXT_RULE. Recipe: Invoking rule 2ad8c7cf9ef8; [file "/etc/httpd/conf/modsecurity_crs/base_rules/modsecurity_crs_20_protocol_vi olations.conf" Rule 2ad8c7cf9ef8: SecRule "REQUEST_LINE" "!@rx ^(?:(?:[a-z]{3,10}\\s+(?:\\w{3,7}?://[\\w\\-\\./]*(?::\\d+)?)?/[^?#]*(?:\\ ?[^#\\s] T (0) lowercase: "get /dtd/bcssrequest-v1.1.dtd http/1.0" Transformation completed in 9 usec. Executing operator "!rx" with param "^(?:(?:[a-z]{3,10}\\s+(?:\\w{3,7}?://[\\w\\-\\./]*(?::\\d+)?)?/[^?#]*(?:\ \?[^#\\s]*)?(?:#[\\S Target value: "get /dtd/bcssrequest-v1.1.dtd http/1.0" Operator completed in 8 usec. Rule returned 0. No match, not chained -> mode NEXT_RULE. David B. Sinclair Security Manager Email: [email protected]<mailto:[email protected]> -------------------------------------------------------------------------- ------------- This email is intended solely for the use of the addressee and may contain information that is confidential, proprietary, or both. If you receive this email in error please immediately notify the sender and delete the email. -------------------------------------------------------------------------- ------------- ________________________________ This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. --------------------------------------------------------------------------------------- This email is intended solely for the use of the addressee and may contain information that is confidential, proprietary, or both. If you receive this email in error please immediately notify the sender and delete the email. --------------------------------------------------------------------------------------- _______________________________________________ Owasp-modsecurity-core-rule-set mailing list [email protected] https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
