Leonardo, How are you activating these rules? Did you put them in a custom rules file? Is this rules file included with the other CRS rule files in Apache Include directives?
You are showing debug log snippets below. If your rules are activated, there should be debug log process regardless of whether the rules matched or not. -- Ryan Barnett Trustwave SpiderLabs ModSecurity Project Leader OWASP ModSecurity CRS Project Leader From: Leonardo Bacha Abrantes <leona...@lbasolutions.com<mailto:leona...@lbasolutions.com>> Date: Wednesday, September 19, 2012 1:46 PM To: OWASP Mod Security <owasp-modsecurity-core-rule-set@lists.owasp.org<mailto:owasp-modsecurity-core-rule-set@lists.owasp.org>>, "mod-security-us...@lists.sourceforge.net<mailto:mod-security-us...@lists.sourceforge.net>" <mod-security-us...@lists.sourceforge.net<mailto:mod-security-us...@lists.sourceforge.net>> Subject: [Owasp-modsecurity-core-rule-set] Except rule has been ignoring Hey people, I'm using drupal and I created a list of IPs to access it using this rule: # This rule was created to allow a list of IPs in a file to access /update.php SecRule REQUEST_URI "^/update.php" id:1,phase:1,chain,nolog,t:none,allow,setvar:tx.remote_addr=/%{REMOTE_ADDR}/ SecRule TX:REMOTE_ADDR "@pmFromFile /etc/httpd/conf.d/modsecurity/base_rules/Allowed_to_run_update_php" t:none,ctl:ruleEngine=off # to access /user interface SecRule REQUEST_URI "^/user" id:2,phase:1,chain,nolog,t:none,allow,setvar:tx.remote_add=/%{REMOTE_ADD}/ SecRule TX:REMOTE_ADD "@pmFromFile /etc/httpd/conf.d/modsecurity/base_rules/Allowed_to_run_admin" t:none,ctl:ruleEngine=off when I try to access /user and log am receiving the error below: [19/Sep/2012:14:40:36 --0300] [10.1.125.204/sid#228f4e8][rid#35c23f0][/user][1<http://10.1.125.204/sid#228f4e8][rid#35c23f0][/user][1>] Access denied with code 403 (phase 2). Pattern match "(/\\*!?|\\*/|[';]--|--[\\s\\r\\n\\v\\f]|(?:--[^-]*?-)|([^\\-&])#.*?[\\s\\r\\n\\v\\f]|;?\\x00)" at ARGS:pass. [file "/etc/httpd/conf.d/modsecurity/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "49"] [id "981231"] [rev "2.2.5"] [msg "SQL Comment Sequence Detected."] [data "--Ancine-"] [tag "WEB_ATTACK/SQL_INJECTION"] [tag "WASCTC/WASC-19"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"] [tag "PCI/6.5.2"] [19/Sep/2012:14:40:39 --0300] [10.1.125.204/sid#228f4e8][rid#35c23f0][/user][1<http://10.1.125.204/sid#228f4e8][rid#35c23f0][/user][1>] Access denied with code 501 (phase 2). Pattern match "^(?:ht|f)tps?:\\/\\/(\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3})" at ARGS:pass. [file "/etc/httpd/conf.d/modsecurity/base_rules/modsecurity_crs_40_generic_attacks.conf"] [line "142"] [id "950117"] [rev "2.2.5"] [msg "Remote File Inclusion Attack"] [severity "CRITICAL"] [tag "WEB_ATTACK/RFI"] [19/Sep/2012:14:40:46 --0300] [10.1.125.204/sid#228f4e8][rid#35c23f0][/user][1<http://10.1.125.204/sid#228f4e8][rid#35c23f0][/user][1>] Access denied with code 501 (phase 2). Pattern match "^(?:ht|f)tps?:\\/\\/(\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3})" at ARGS:pass. [file "/etc/httpd/conf.d/modsecurity/base_rules/modsecurity_crs_40_generic_attacks.conf"] [line "142"] [id "950117"] [rev "2.2.5"] [msg "Remote File Inclusion Attack"] [severity "CRITICAL"] [tag "WEB_ATTACK/RFI"] in the exception files I'm doing this: /10.1.125.204/<http://10.1.125.204/> what is wrong ? many thanks! ________________________________ This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.
_______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
