Morris Taylor | 29 Mar 17:41 2015

HTTP POST Hangs with Modsecurity 2.9 and Nginx

Dear All,

     Have anyone encountered the same issue? I tried to upload some
     small size file to my web application through the nginx proxy with
     mod security enabled(DetectionOnly) and found my http post request
     was hanging and an empty response was returned. I tried to use
     recommend mod security conf, however, things didn't work at all.
     Therefore, I tried to use tcpdump to inspect the packets between
     the proxy and the backend server, I found most of the packets were
     sent to the proxy, and less were being forward to the backend
     server. It seems mod security has trouble to forward the request
     body(POST DATA) to my backend server. Can anyone help me to solve
     this issue? Thanks!

--

-- 
BR, Morris

------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the 
conversation now. http://goparallel.sourceforge.net/
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/
(Continue reading)

Saverio | 26 Mar 16:43 2015

Traffic affected in spite of SecRuleEngine DetectionOnly

Hello,

I've recently setup ModSecurity, as Nginx (1.6.2) module, with the pretty much standard configuration (modsecurity.conf-recommended and OWASP modsecurity_crs_10_setup.conf.example).

I wanted to set it up only for detection; I've checked the built configuration file, and it contains "SecRuleEngine DetectionOnly", which, as far as I understand, should cause ModSecurity to inspect the traffic, but not interfere with it.

Unexpectedly (to me), this caused 404s on some requests. Is this actually expected? Is there anything else I should configure in order to be completely sure that the traffic is not affected in any way?

Thanks,
Saverio
------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the 
conversation now. http://goparallel.sourceforge.net/
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/
Morris Taylor | 26 Mar 10:12 2015

Modesecurity Audit log trailer without messages.

Dear All,

     I am running mod security within NGINX,  and I found this issue
     today. That is, I find some log in audit log are showing with any
     "Messages" in Audit Part H. It looks weird that I can not find the
     reason of blocking this request. (Apparently we can see the Referer
     section in the request header is malicious). Can anyone tell me why
     the reason is not included in part H of the audit log?

Following is one of the detail information about the  request in my
audit log(Sorry for masking the client ip address and the Host in
request header):

--adaae268-A--
[26/Mar/2015:16:30:26 +0800] zSAcAOAcAcAcRcAcLcAaecAr 223.xxx.xx.xx
25749 127.0.0.1 80
--adaae268-B--
GET /fonts/ HTTP/1.1
Referer: file:///etc/passwd
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0)
like Gecko
Host: some.domain.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
Accept: */*

--adaae268-F--
HTTP/1.1
Cache-Control: private, must-revalidate
pragma: no-cache
expires: -1
Content-Type: text/plain; charset=UTF-8
Connection: keep-alive

--adaae268-H--
Apache-Handler: IIS
Stopwatch: 1427358625000958 1126873 (- - -)
Stopwatch2: 1427358625000958 1126873; combined=8995, p1=282, p2=8580,
p3=4, p4=90, p5=37, sr=82, sw=2, l=0, gc=0
Producer: ModSecurity for nginx (STABLE)/2.9.0
(http://www.modsecurity.org/); OWASP_CRS/2.2.9.
Server: ModSecurity Standalone
Engine-Mode: "DETECTION_ONLY"

--

-- 
BR, Morris

------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the 
conversation now. http://goparallel.sourceforge.net/
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/

Neha Chriss | 26 Mar 04:20 2015
Picon

Help w/ PCRE for ARGS and ARGS_NAME

Hello,

I have roughly 50 SecRules that are working without issue. However, I have two specifically that should each match an ARGS and an ARGS_NAME variable, but I can't seem to match them correctly - I believe my regex is bad, or I'm not writing the rules correctly.

In the first rule, I'm attempting to use PCRE so that apachectl -t will match OK. The whitespace in the raw 'ARGS_NAMES:data[Form Phone Number]' causes modsecurity to complain. The matching regex itself is  "(data(\[.*\])+)". After loading, modsec still flags this request parameter (occuring in the Request Body) as violating ID 981173.

Current rule:
SecRule ARGS_NAMES:"/^data[Tests][Form\sPhone\sNumber]$/" "
(data(\[.*\])+)" "id:307,phase:2,t:none,nolog,pass,ctl:ruleRemoveTargetByTag=.;ARGS_NAMES:/^data[Tests][Form\sPhone\sNumber]$/"

The alert:
[id "981173"] [rev "2"] [msg "Restricted SQL Character Anomaly Detection Alert - Total # of special characters exceeded"] [data "Matched Data: ] found within ARGS_NAMES:data[Tests][Form Phone Number]: data[Tests][Form Phone Number]"] [ver "OWASP_CRS/2.2.9"] [maturity "9"] [accuracy "8"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [hostname "x.x.com"] [uri "/accnt/metad"] [unique_id "VRCOTwobAq4AABfAuc0AAADg"]

In other problematic rule, I want to whitelist all requests with the Request Body JSON variable set, in the format of '{data {"this":"that","foo":""}}. Modsecurity still flags this as a violation of ID 981173. In general, I want to be able to get a tighter match on this parameter, as opposed to a '*.' whitespace, but I'd at least like to start with an appropriate method of whitelisting I can build on.

Here's the current rule:

SecRule ARGS_NAMES:"/^{\"data\"/" "(.*)" "id:308,phase:2,t:none,nolog,pass,ctl:ruleRemoveTargetByTag=.;ARGS_NAMES:/^{\"data\"/"

The alert:
[2015-03-23T22:09:01.63216 [Mon Mar 23 22:09:01.632127 2015] [:error] [pid 6592:tid 140471007414016] [client 66.206.85.131] ModSecurity: Warning. Pattern match "([\\~\\!\\ <at> \\#\\$\\%\\^\\&\\*\\(\\)\\-\\+\\=\\{\\}\\[\\]\\|\\:\\;\"\\'\\\xc2\xb4\\\xe2\x80\x99\\\xe2\x80\x98\\`\\<\\>].*?){4,}" at ARGS_NAMES:{"data":{"description":"Foo Bar","ids":["8d8b8b8a-8c84-8888-8888-88888888888888","8d8b8b8a-8c84-8888-8888-88888888888888","8d8b8b8a-8c84-8888-8888-88888888888888","8d8b8b8a-8c84-8888-8888-88888888888888","8d8b8b8a-8c84-8888-8888-88888888888888"]}}. [file "/etc/apache2/modsecurity-crs/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "159"] [id "981173"] [rev "2"] [msg "Restricted SQL Character Anomaly Detection Alert - Total # of special characters exceeded"] [data "Matched Data: \x22 found within ARGS_NAMES:{\x22data\x22:{\x22description\x22:\x22Foo Bar\x22,\x22transaction_ids\x22:[\x8d8b8b8a-8c84-8888-8888-88888888888888\x22,\8d8b8b8a-8c84-8888-8888-88888888888888\x22,\8d8b8b8a-8c84-8888-8888-88888888888888\x22,\x8d8b8b8a-8c84-8888-8888-88888888888888\x22,\x8d8b8b8a-8c84-8888-8888-88888888888888 [hostname "x.x.com"] [uri "/trans/data"] [unique_id "VRCO-QobAq4AABnAKcsAAAAO"]

What am I doing wrong here?



------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the 
conversation now. http://goparallel.sourceforge.net/
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/
Bruno de Almeida | 24 Mar 23:03 2015

rule performance

Hi All,

I am trying to find out the most expensive rules I have on my setup using SecRulePerfTime and PERF_RULES but the data is not making much sense.


For example, I have this one custom rule that is tracking authentication events, it basically inspects POST to a specific URL and grabs some info.

SecRule REQUEST_FILENAME " <at> strmatch j_spring_security_check" "chain,phase:3,id:'7002',t:none,pass,nolog,auditlog,severity:6,msg:'Successful Authentication',logdata:'email=%{args.j_username}'"
SecRule REQUEST_METHOD " <at> streq POST" "chain,t:none"
SecRule RESPONSE_STATUS " <at> streq 302" "chain,t:none"
SecRule RESPONSE_HEADERS:Location "! <at> strmatch signin" "chain,t:none"
SecRule WEBAPPID " <at> strmatch www" "chain,t:none"
SecRule ARGS:j_username ".*" "t:none"


The combined time for this rule varies between 10000 and 40000, 99% of this time is in Phase 2, as you can see below

Stopwatch2: 1427233612156631 1027209; combined=30177, p1=420, p2=29315, p3=329, p4=51, p5=60, sr=49, sw=2, l=0, gc=0


I have added SecRulePerfTime 1 to my config so I can see all rules taking 1+ usec.

The problem is, according to Rules-Performance-Info, the sum of all rules taking more than 1 usec is nowhere near p2=29315, and, still acording to Rules-Performance-Info, the Authentication Tracking rule is only taking "2 usecs" ("7002=2")

The sum of all the processing times below is *850*, a lot less than the combined=30177

Rules-Performance-Info: "900012=1", "900018=2", "900019=4", "1000=4", "900020=1", "900021=2", "5001=2", "5006=1", "5009=1", "5010=1", "4001=1", "4002=1", "960911=6", "960016=1", "960012=1", "960342=1", "960032=3", "950012=1", "10001=6", "
10002=1", "11003=1", "4003=3", "900040=1", "960912=2", "960914=1", "960915=1", "958295=1", "950108=4", "950116=1", "960901=15", "960008=1", "960006=1", "960017=1", "960209=1", "960208=1", "960335=1", "960341=1", "981078=3", "960034=4", "9
60035=1", "960038=36", "990002=7", "990901=7", "990902=1", "990012=7", "950907=4", "950018=1", "950019=2", "950910=39", "950911=43", "950117=3", "950118=2", "950119=2", "950120=1", "981133=20", "981134=1", "950009=36", "950003=3", "950000
=3", "950005=4", "950002=5", "950006=6", "981231=3", "981260=5", "981318=6", "981319=9", "950901=7", "981320=3", "981300=10", "981303=1", "981304=1", "981306=1", "981307=1", "981308=1", "981309=1", "981311=1", "981312=1", "981313=1", "981
314=1", "950007=6", "950001=16", "959070=8", "959071=2", "959072=1", "950908=2", "959073=23", "981272=2", "981244=8", "981255=7", "981257=6", "981248=10", "981277=3", "981250=4", "981241=3", "981252=4", "981256=4", "981245=9", "981276=2",
 "981254=2", "981270=1", "981240=6", "981249=7", "981253=4", "981242=11", "981246=7", "981251=4", "981247=8", "981243=6", "973336=1", "973337=3", "973338=6", "981136=14", "981018=1", "973300=3", "973301=1", "973302=29", "973303=5", "97330
4=4", "973305=2", "973306=3", "973307=2", "973308=2", "973309=3", "973310=1", "973311=3", "973312=2", "973313=3", "973314=3", "973331=2", "973315=1", "973330=4", "973327=4", "973326=5", "973346=8", "973345=4", "973324=2", "973323=3", "973
322=2", "973348=2", "973321=3", "973320=1", "973318=1", "973317=2", "973347=2", "973335=1", "973334=3", "973333=3", "973332=3", "973329=1", "973328=1", "973316=1", "973325=1", "973319=2", "950103=22", "950110=1", "981020=1", "981022=2", "
981175=1", "1001=1", "2010=1", "2011=1", "3001=12", "9001=1", "200003=1", "200004=1", "7002=2", "7003=1", "7004=1", "7006=2", "7009=1", "8002=2", "8003=1", "1234=66", "981080=3", "970118=1", "981177=1", "981004=1", "981007=1", "981200=2",
 "981201=2", "981204=3", "981205=13", "7001=1".

Does anyone know if Rules-Performance-Info takes into account all phases? If not, which phase is it reporting?

Thanks,


--
- Bruno
------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the 
conversation now. http://goparallel.sourceforge.net/
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/
Morris Taylor | 24 Mar 11:24 2015

Re: How to change the default file permission for the audit log

Dear Andrew:
 
   I will reply your question tomorrow. sorry for not being able to reply you in-time. 
 
Dear All,
 
    Just a self-answering to my question: 
 
To change the default file permission for the audit log file, just change the value of SecAuditLogFileMode to what you want in modsecurity.conf. 
 
The related explanation of the variable is also attached as following:
 

Description: Configures the mode (permissions) of any files created for concurrent audit logs using an octal mode (as used in chmod). See SecAuditLogDirMode for controlling the mode of created audit log directories.

Syntax: SecAuditLogFileMode octal_mode|"default"

Default: 0600

Scope: Any 

Version: 2.5.10

Example Usage: SecAuditLogFileMode 00640

This feature is not available on operating systems not supporting octal file modes. The default mode (0600) only grants read/write access to the account writing the file. If access from another account is needed (using mpm-itk is a good example), then this directive may be required. However, use this directive with caution to avoid exposing potentially sensitive data to unauthorized users. Using the value “default” will revert back to the default setting.

 
--
BR, Morris
 
 
On Tue, Mar 24, 2015, at 05:57 PM, Andrew Camilleri wrote:
Hi Morris!
 
Just seen your email on modsecurity mailing list. Sorry for this, but I am struggling to get modsecurity running and you managed to do it! Wow! Can you please point me to some online resource that shows how you did it? Also, can you please tell me the version of nginx + modsecurity + OS? I am really stuck and any help would be appreciated! Cheers!
 
Andrew
 
On 24 March 2015 at 09:49, Morris Taylor <morris <at> eml.cc> wrote:
Dear All,

   I have installed mod security with my nginx server. However, I find
   the file permission of the audit log file is set to "-rw-r-----" (aka
   640). I would like to ask where can I patch the related source code
   that let mod security create and write the audit log with the file
   permission set to "-rw-r--r--" (aka 644) ? Thanks a lot!.

--
BR, Morris

------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the
conversation now. http://goparallel.sourceforge.net/
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/
 
 
------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the 
conversation now. http://goparallel.sourceforge.net/
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/
Morris Taylor | 24 Mar 10:49 2015

How to change the default file permission for the audit log

Dear All,

   I have installed mod security with my nginx server. However, I find
   the file permission of the audit log file is set to "-rw-r-----" (aka
   640). I would like to ask where can I patch the related source code
   that let mod security create and write the audit log with the file
   permission set to "-rw-r--r--" (aka 644) ? Thanks a lot!.

--

-- 
BR, Morris

------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the 
conversation now. http://goparallel.sourceforge.net/
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/

Andrew Camilleri | 20 Mar 15:39 2015
Picon

nginx+modsecurity

Hi!

I am trying to enable modsecurity in nginx and I got stuck. Here are my steps:

yum install -y gcc make automake autoconf libtool
yum install -y pcre pcre-devel libxml2 libxml2-devel curl curl-devel httpd-devel

from modsecurity folder:

./configure --enable-standalone-module --disable-mlogc
make

from nginx folder:
./configure --add-module=../mod_security/nginx/modsecurity
make
sudo make install

All works so far. Tested nginx on its own, and it works fine. So proceed to enable modsecurity and owasp rules. I follow steps from here which basically suggest to catenate modsecurity.conf-recommended, modsecurity_crs_10_setup.conf.example and crs-rules/*.conf together and also copy the base_rules/*data files to nginx conf. I go and start nginx and it doesnt complain. Then I browse onto my test app and it seems to work, but when I attempt to POST for a login, nginx hangs and I get the following in the error.log:

2015/03/20 11:33:37 [notice] 37800#0: signal process started
2015/03/20 11:33:41 [notice] 37801#0: ModSecurity for nginx (STABLE)/2.9.0 (http://www.modsecurity.org/) configured.
2015/03/20 11:33:41 [notice] 37801#0: ModSecurity: APR compiled version="1.3.9"; loaded version="1.3.9"
2015/03/20 11:33:41 [notice] 37801#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
2015/03/20 11:33:41 [notice] 37801#0: ModSecurity: LIBXML compiled version="2.7.6"
2015/03/20 11:33:41 [notice] 37801#0: ModSecurity: StatusEngine call: "2.9.0,nginx,1.3.9/1.3.9,7.8/7.8 2008-09-05,(null),2.7.6,bd9197350c776162590f1f3364fb3a831179d4fa"
2015/03/20 11:33:41 [notice] 37801#0: ModSecurity: StatusEngine call successfully sent. For more information visit:http://status.modsecurity.org/
2015/03/20 11:34:07 [alert] 37802#0: worker process 37803 exited on signal 9
2015/03/20 11:34:15 [alert] 37802#0: worker process 37822 exited on signal 9

The response in the browser is completely empty. I am running this on a CentOS 6.6 VM. Can anyone help please? I have attempted this with both stable nginx 1.6.2 and Mainline 1.7.10. Many thanks for reading this...Cheers!

Andrew
------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the 
conversation now. http://goparallel.sourceforge.net/
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/
Phpz | 19 Mar 12:29 2015
Picon

Nginx with ModSecurity module and limit_req_zone

Hi all, I just installed ModSecurity module and tested it; by checking logs and making tests with some tools (like nikto, httpslowtest..) , it seems to work fine (it log bad requests as 403).
The only thing I notice is that with ModSecurity module enabled, my previous rule for limit requests stop working :(
The rule in nginx.conf is:
        # Create a global request accounting pool to prevent DOS
        limit_req_zone $binary_remote_addr zone=antidos:10m rate=10r/s;

Then I have:
        ModSecurityEnabled on;
        ModSecurityConfig modsecurity.conf;
        include mime.types;
        default_type application/octet-stream;
        ...    
        ...

Is there a way to keep it working as before?
Or, in alternative, is there something to implement in ModSecurity configuration to make the same thing?

Thanks to all in advance,
Regards - Franz
------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the 
conversation now. http://goparallel.sourceforge.net/
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/
Tomasz Chmielewski | 18 Mar 16:22 2015

per vhost SecRuleUpdateActionById not working?

Hello,

I'm trying to use SecRuleUpdateActionById to allow traffic in one vhost.

For example, with this enabled globally and unchanged:

modsecurity_crs_35_bad_robots.conf

I'm getting "403 Forbidden" with a bad robot called "webmole" - which is 
fine:

$ curl -A webmole site.example.com

Now, I'd like to allow bad robots for this particular vhost, but still 
log any actions done.

However, setting this in the vhost has no effect at all "webmole" 
traffic is still blocked:

SecRuleUpdateActionById 990012 allow

If I add this one to vhost config, the rule is removed, "webmole" 
traffic no longer blocked - but also not logged - so this is not what I 
want:

SecRuleRemoveById 990012

So my question is - how do I use "SecRuleUpdateActionById" in vhost 
config to "allow" traffic for a given ID, like 990012 above (with 
modsecurity rules loaded globally)?

--

-- 
Tomasz Chmielewski
http://www.sslrack.com

------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the 
conversation now. http://goparallel.sourceforge.net/
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/

biau | 18 Mar 11:48 2015

My OCSP request and response is not log

Hi all

I had make my Apache act as reverse proxy to my OCSP responder.

I tried to configure the modsecurity to log my OCSP request and 
response. here is my configuration

<IfModule security2_module>
SecAuditEngine On
SecRuleEngine On
SecRequestBodyAccess On
SecResponseBodyAccess On
SecAuditLogParts ABCEFHIZ
SecAuditLogType Serial
SecAuditLog logs/sec.log
SecDebugLog logs/sec_debug.log
SecDebugLogLevel 3
</IfModule>

the log is created, but in the log it only log for parts A,B,F and H. (C 
= request, and E=response) is missing.

when i tried it with .html page, then the part C and E is appear. 

So, i want to know is it my configuration wrong? modsecurity can't log 
when it is reverse proxy? or it cannot log the binary(OCSP is in 
binary)? 

thank you

best regards
biau

------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the 
conversation now. http://goparallel.sourceforge.net/
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/


Gmane