****SPAM**** LOW * AW: [Modsecurity] A little problem with excludes

[Thomas Ammermann]

Hi Christian,

I usually exclude rules like this:

<LocationMatch "xxx">
    SecRuleRemoveById 300018
</LocationMatch>

Maybe this helps ...

Kind regards,
Thomas


-----Ursprüngliche Nachricht-----
Von: modsecurity-bounces at gotroot.com
[mailto:modsecurity-bounces at gotroot.com] Im Auftrag von Cristian Livadaru
Gesendet: Donnerstag, 11. Oktober 2007 11:29
An: modsecurity at gotroot.com
Betreff: [Modsecurity] A little problem with excludes

Hi modsecurity list, 

I seem to have a little problem with the excludes

I have this in my Audit log: 


==6d394431==============================

Request: www.foo.com 127.0.0.1 - - [11/Oct/2007:09:25:57 +0200] "POST
/index.php?option=com_cmsrealty&Itemid=4&openrealty=616374696f6e3d656469745f
6c697374696e677326616d703b656469743d3336392661646d696e3d74727565 HTTP/1.1"
403 285
"http://www.foo.com/component/option,com_cmsrealty/Itemid,4/openrealty,61637
4696f6e3d656469745f6c697374696e677326616d703b656469743d3336392661646d696e3d7
4727565/" "Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.8.1.7)
Gecko/20070914 Firefox/2.0.0.7" - "-"
----------------------------------------
POST
/index.php?option=com_cmsrealty&Itemid=4&openrealty=616374696f6e3d656469745f
6c697374696e677326616d703b656469743d3336392661646d696e3d74727565 HTTP/1.1
Host: www.foo.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.8.1.7)
Gecko/20070914 Firefox/2.0.0.7
Accept:
text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=
0.8,image/png,*/*;q=0.5
Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer:
http://www.foo.com/component/option,com_cmsrealty/Itemid,4/openrealty,616374
696f6e3d656469745f6c697374696e677326616d703b656469743d3336392661646d696e3d74
727565/
Content-Type: application/x-www-form-urlencoded
Content-Length: 510
mod_security-action: 403
mod_security-message: Access denied with code 403. Pattern match
"((alter|create|drop)[[:space:]]+(column|database|procedure|table)|delete[[:
space:]]+from|update.+set.+=)" at POST_PAYLOAD [id "300015"] [rev "1"] [msg
"Generic SQL injection protection"] [severity "CRITICAL"]

510
action=update_listing&edit=369&title=Altbau-Miete&pclass%5B%5D=4&featured=no
&edit_active=yes&mlsexport=no&or_owner=9&notes=&Adresse=Staudgasse&Stadt=Wie
n&Postleitzahl=1180&Preis=530&betr_kosten=&miete=&full_desc=Nette+Kleine+Zim
mer+und+Kabinett+Wohnung%2C+Einbauk%FCche%2C+sehr+ger%E4umig%2C+Fliesenbad%2
C+Toilette+Etagenheizung.Ruhelage+und+AKH+N%E4he&Zimmer=2&Badezimmer=1&year_
built=1970&sq_feet=45&status=Aktiv&home_features%5B%5D=Einbauk%FCche&home_fe
atures%5B%5D=Gasetagenheizung&home_features%5B%5D=Lift

HTTP/1.1 403 Forbidden
Content-Length: 285
Keep-Alive: timeout=15, max=89
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1
--6d394431--


but in excludes.conf I have added:

# cms_realty
<LocationMatch "/index.php\?option=com_cmsrealty.*">
SecFilterRemove 300015
</LocationMatch>

I don't understand why this is still blocking. What am I doing wrong? 

Regards, Cristian


--
Cristian Livadaru
http://livadaru.net