On Sat, 2012-09-01 at 10:41 +0100, Arthur Dent wrote: > Hello all, > > I am part-way through a bare metal rebuild of my small home server on a > Fedora 17 platform. I have always had a problem with ModSec and > Squirrelmail. Most of Squirrelmail's functions seem to hit ModSec rules. > In the past I have dealt with this by means of a custom rule which I put > in modsecurity_localrules.conf which read: > SecRule REQUEST_URI "@rx(compose|delete_message|options|move_messages| > gpg_pop_init.php)\.php" "pass,ctl:ruleEngine=DetectionOnly" > (The URI is usually something like /webmail/src/compose.php) > > Now that I am on the latest everything (ModSec 2.2.6, CRS 2.2.5) I > wonder if there was a better way of doing this? > > I am surely not the only person who uses ModSec and Squirrelmail. > > What is the best way to deal with this? > > Thanks in advance for any help / suggestions. > > Mark
OK. No-one offered any suggestions so I have been trying to do this myself without any success. I guess things have changed since I last had this working. I have created a modsecurity_crs_15_customrules.conf file and tried both this: SecRule REQUEST_URI "@rx(compose|delete_message|options|move_messages| gpg_pop_init.php)\.php" "pass,ctl:ruleEngine=DetectionOnly" and this: SecRule REQUEST_URI "@rx \/webmail\/src\/" "pass,nolog,noauditlog,ctl:ruleEngine=DetectionOnly" but neither seen to work. Here is the relevant sections from the logs: ==========================8<=========================================== --53208e27-A-- [06/Sep/2012:08:28:57 +0100] UEhQuV5@KJoAAA-gZOEAAAAA 82.43.145.228 50213 192.168.2.2 443 --53208e27-B-- POST /mywm/src/compose.php HTTP/1.1 Host: www.mydomain.org Connection: keep-alive Content-Length: 2032 Cache-Control: max-age=0 Origin: https://www.mydomain.org User-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.89 Safari/537.1 Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryApZrcLUMZNcW08Hw Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Referer: https://www.mydomain.org/mywm/src/compose.php?mailbox=IN-School&startMessage=1 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8,en-GB;q=0.6 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: key=OYX4xy5pBYc%3D; squirrelmail_language=deleted; SQMSESSID=vdpj7jlonemo25np8cqaac5q84 --53208e27-I-- smtoken=2Mjp0tu7F9D1&startMessage=1&session=1&passed%5fid=&identity=0&send%5fto=mark%40mydomain%2eorg&send%5fto%5fcc=&send%5fto%5fbcc=&subject=Test+Message&mailprio=3&body=Test+Message&send=Send&MAX%5fFILE%5fSIZE=2097152&username=mark&smaction=&mailbox=IN%2dSchool&composesession=1&querystring=mailbox%3dIN%2dSchool%26amp%3bstartMessage%3d1 --53208e27-F-- HTTP/1.1 403 Forbidden Content-Length: 304 Connection: close Content-Type: text/html; charset=iso-8859-1 --53208e27-H-- Message: Access denied with code 403 (phase 2). Pattern match "([\\~\\!\\@\\#\\$\\%\\^\\&\\*\\(\\)\\-\\+\\=\\{\\}\\[\\]\\|\\:\\;\"\\'\\\xc2\xb4\\\xe2\x80\x99\\\xe2\x80\x98\\`\\<\\>].*){4,}" at ARGS:querystring. [file "/etc/httpd/modsecurity.d/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "171"] [id "981173"] [rev "2.2.5"] [msg "Restricted SQL Character Anomaly Detection Alert - Total # of special characters exceeded"] [data "=1"] Message: Failed to access DBM file "/var/log/httpd//global": Permission denied Message: Failed to access DBM file "/var/log/httpd//ip": Permission denied Action: Intercepted (phase 2) Apache-Handler: php5-script Stopwatch: 1346916537512630 18158 (- - -) Stopwatch2: 1346916537512630 18158; combined=17993, p1=421, p2=12973, p3=0, p4=0, p5=2378, sr=53, sw=1, l=0, gc=2220 Producer: ModSecurity for Apache/2.6.6 (http://www.modsecurity.org/); OWASP_CRS/2.2.5. Server: Apache/2.2.22 (Fedora) --53208e27-Z-- ==========================8<=========================================== I am particularly mystified by the "Failed to access DBM file" message. Can anyone assist me in getting this through? Thanks Mark
signature.asc
Description: This is a digitally signed message part
_______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set