search

owasp-modsecurity / ModSecurity

ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. It has a robust event-based programming language which provides protection from a range of attacks against web applications and allows for HTTP traffic monitoring, logging and real-time analysis.
https://www.modsecurity.org
Apache License 2.0
8.22k stars 1.6k forks source link

Prevoius rule not overridden in same phase #200

Closed rcbarnett-zz closed 11 years ago

rcbarnett-zz commented 11 years ago

MODSEC-48: The following (in a custom rule configuration file) modsecurity_crs_99_customrules.conf\ \ {noformat}

Exceptions to scanning

SecRule SCRIPT_FILENAME "(^/home/phpMyAdmin.*)" phase:2,log,allow,ctl:ruleEngine=Off,ctl:auditEngine=Off {noformat}

Does not override a previous rule in phase 2 that blocks the request and stops processing, while in phase 1 the SCRIPT_FILENAME is not yet available. The above rule is to handle a false positive.

rcbarnett-zz commented 11 years ago

Original reporter: woutersteven

rcbarnett-zz commented 11 years ago

brectanus: You have that rule after the rule that blocks? The rules are processed sequentially, so if a previous rule blocked, then rule processing stops and this rule would never be reached. You need to place this rule before the other rule. You should create a modsecurity_crs_11_customrules.conf (or similar) and put it there.

-B