search

owasp-modsecurity / ModSecurity

ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. It has a robust event-based programming language which provides protection from a range of attacks against web applications and allows for HTTP traffic monitoring, logging and real-time analysis.
https://www.modsecurity.org
Apache License 2.0
8.22k stars 1.6k forks source link

allow action doesnt work under DetectionOnly mode when both "allow" and "nolog" actions is placed #500

Closed rcbarnett-zz closed 11 years ago

rcbarnett-zz commented 11 years ago

MODSEC-352: i want to get the mod_sec into the DetectionOnly mode to see if my rules goes fine with my web application. i have some white list domian using allow action and i donot want to log the allow action. But sush a rule as below doesnt work under DetectionOnly mode: SecRule REQUEST_HEADERS:Host "test.com" "allow,nolog"

if i remove the nolog action, it will work. is this a bug ?

thanks!

rcbarnett-zz commented 11 years ago

Original reporter: fancyo

rcbarnett-zz commented 11 years ago

bpinto: Hello,

I would suggest upgrade for a more recent version of modsecurity, because allow action is a disruptive action and must not work in detection only mode. If you want to enable it by transaction you can do something like:

SecRule REQUEST_HEADERS:Host "test.com" "allow,nolog,ctl:ruleEngine=On"

Note: nolog will supress alerts messages in audit log and error log. However if you don't want to create any audit log for this transaction, you can do somehting like:

SecRule REQUEST_HEADERS:Host "test.com" "allow,nolog,ctl:auditEngine=Off, ctl:ruleEngine=On"

It is work for you ?

rcbarnett-zz commented 11 years ago

fancyo: hi " allow action is a disruptive action and must not work in detection only mode." this helps me understanding the question quite well. thanks for your reply. Also I realized that the manual has been talked about this. I should read the manual.