search

owasp-modsecurity / ModSecurity

ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. It has a robust event-based programming language which provides protection from a range of attacks against web applications and allows for HTTP traffic monitoring, logging and real-time analysis.
https://www.modsecurity.org
Apache License 2.0
8.22k stars 1.6k forks source link

ctl:ruleEngine=Off does not work correctly #373

Closed rcbarnett-zz closed 11 years ago

rcbarnett-zz commented 11 years ago

MODSEC-219: ctl:ruleEngine=Off does not stop processing.

config: --------------------------------------------- SecAuditEngine On SecRuleEngine On SecRuleInheritance On SecAuditLogType Serial SecAuditLog "logs/security.log" SecAuditLogParts ABCEFHKZ

SecAction "phase:1,pass,auditlog,msg:'Should appear'" SecAction "phase:1,pass,auditlog,ctl:ruleEngine=Off,msg:'Rules processing should stop'"

SecAction "phase:1,pass,auditlog,msg:'Should NOT appear'"

Audit log: --------------------------------------------- --29000000-H-- Message: Warning. Unconditional match in SecAction. [msg "Should appear"] Message: Warning. Unconditional match in SecAction. [msg "Rules processing should stop"] Message: Access denied with code 403 (phase 1). Unconditional match in SecAction. [msg "Should NOT appear"] Action: Intercepted (phase 1)

--29000000-K-- SecAction "phase:1,log,pass,auditlog,msg:'Should appear'" SecAction "phase:1,log,t:none,pass,auditlog,ctl:ruleEngine=Off,msg:'Rules processing should stop'"

SecAction "phase:1,log,deny,auditlog,msg:'Should NOT appear'"

Second secAction should not trigger

rcbarnett-zz commented 11 years ago

Original reporter: marcstern

rcbarnett-zz commented 11 years ago

marcstern: Patch seems to work in 2.5.13

rcbarnett-zz commented 11 years ago

bpinto: Marc ... i inserted a code in the trunk for this. Can you test it ? thanks Breno