[Owasp-modsecurity-core-rule-set] Except rule has been ignoring

Wed, 19 Sep 2012 10:50:08 -0700 

Hey people,

I'm using drupal and I created a list of IPs to access it using this rule:

# This rule was created to allow a list of IPs in a file to access
/update.php
SecRule REQUEST_URI "^/update.php"
id:1,phase:1,chain,nolog,t:none,allow,setvar:tx.remote_addr=/%{REMOTE_ADDR}/
  SecRule TX:REMOTE_ADDR "@pmFromFile
/etc/httpd/conf.d/modsecurity/base_rules/Allowed_to_run_update_php"
t:none,ctl:ruleEngine=off

# to access /user interface
SecRule REQUEST_URI "^/user"
id:2,phase:1,chain,nolog,t:none,allow,setvar:tx.remote_add=/%{REMOTE_ADD}/
  SecRule TX:REMOTE_ADD "@pmFromFile
/etc/httpd/conf.d/modsecurity/base_rules/Allowed_to_run_admin"
t:none,ctl:ruleEngine=off

when I try to access /user and log am receiving the error below:


[19/Sep/2012:14:40:36 --0300] [
10.1.125.204/sid#228f4e8][rid#35c23f0][/user][1] Access denied with code
403 (phase 2). Pattern match
"(/\\*!?|\\*/|[';]--|--[\\s\\r\\n\\v\\f]|(?:--[^-]*?-)|([^\\-&])#.*?[\\s\\r\\n\\v\\f]|;?\\x00)"
at ARGS:pass. [file
"/etc/httpd/conf.d/modsecurity/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"]
[line "49"] [id "981231"] [rev "2.2.5"] [msg "SQL Comment Sequence
Detected."] [data "--Ancine-"] [tag "WEB_ATTACK/SQL_INJECTION"] [tag
"WASCTC/WASC-19"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"] [tag
"PCI/6.5.2"]
[19/Sep/2012:14:40:39 --0300] [
10.1.125.204/sid#228f4e8][rid#35c23f0][/user][1] Access denied with code
501 (phase 2). Pattern match
"^(?:ht|f)tps?:\\/\\/(\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3})" at
ARGS:pass. [file
"/etc/httpd/conf.d/modsecurity/base_rules/modsecurity_crs_40_generic_attacks.conf"]
[line "142"] [id "950117"] [rev "2.2.5"] [msg "Remote File Inclusion
Attack"] [severity "CRITICAL"] [tag "WEB_ATTACK/RFI"]
[19/Sep/2012:14:40:46 --0300] [
10.1.125.204/sid#228f4e8][rid#35c23f0][/user][1] Access denied with code
501 (phase 2). Pattern match
"^(?:ht|f)tps?:\\/\\/(\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3})" at
ARGS:pass. [file
"/etc/httpd/conf.d/modsecurity/base_rules/modsecurity_crs_40_generic_attacks.conf"]
[line "142"] [id "950117"] [rev "2.2.5"] [msg "Remote File Inclusion
Attack"] [severity "CRITICAL"] [tag "WEB_ATTACK/RFI"]


in the exception files I'm doing this:

/10.1.125.204/


what is wrong ?

many thanks!

_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
Owasp-modsecurity-core-rule-set@lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set

Reply via email to