****SPAM**** MEDIUM * Re: LOW * AW: [Modsecurity] A little problem with excludes

Cristian Livadaru cristian at livadaru.net
Thu Oct 11 05:55:23 EDT 2007 

Hi, this doesn't seem to work with Version 1.9.4

Invalid command 'SecRuleRemoveById', perhaps misspelled or defined by  
a module not included in the server configuration
It's the same way the original excludes.conf is configured.
I somehow think my Location doesn't quite match but I don't see why.

Cris

On Oct 11, 2007, at 11:48 , Thomas Ammermann wrote:

> Hi Christian,
>
> I usually exclude rules like this:
>
> <LocationMatch "xxx">
>     SecRuleRemoveById 300018
> </LocationMatch>
>
> Maybe this helps ...
>
> Kind regards,
> Thomas
>
>
> -----Ursprüngliche Nachricht-----
> Von: modsecurity-bounces at gotroot.com
> [mailto:modsecurity-bounces at gotroot.com] Im Auftrag von Cristian  
> Livadaru
> Gesendet: Donnerstag, 11. Oktober 2007 11:29
> An: modsecurity at gotroot.com
> Betreff: [Modsecurity] A little problem with excludes
>
> Hi modsecurity list,
>
> I seem to have a little problem with the excludes
>
> I have this in my Audit log:
>
>
> ==6d394431==============================
>
> Request: www.foo.com 127.0.0.1 - - [11/Oct/2007:09:25:57 +0200] "POST
> /index.php? 
> option=com_cmsrealty&Itemid=4&openrealty=616374696f6e3d656469745f
> 6c697374696e677326616d703b656469743d3336392661646d696e3d74727565  
> HTTP/1.1"
> 403 285
> "http://www.foo.com/component/option,com_cmsrealty/Itemid,4/ 
> openrealty,61637
> 4696f6e3d656469745f6c697374696e677326616d703b656469743d3336392661646d6 
> 96e3d7
> 4727565/" "Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.8.1.7)
> Gecko/20070914 Firefox/2.0.0.7" - "-"
> ----------------------------------------
> POST
> /index.php? 
> option=com_cmsrealty&Itemid=4&openrealty=616374696f6e3d656469745f
> 6c697374696e677326616d703b656469743d3336392661646d696e3d74727565  
> HTTP/1.1
> Host: www.foo.com
> User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.8.1.7)
> Gecko/20070914 Firefox/2.0.0.7
> Accept:
> text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/ 
> plain;q=
> 0.8,image/png,*/*;q=0.5
> Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3
> Accept-Encoding: gzip,deflate
> Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
> Keep-Alive: 300
> Connection: keep-alive
> Referer:
> http://www.foo.com/component/option,com_cmsrealty/Itemid,4/ 
> openrealty,616374
> 696f6e3d656469745f6c697374696e677326616d703b656469743d3336392661646d69 
> 6e3d74
> 727565/
> Content-Type: application/x-www-form-urlencoded
> Content-Length: 510
> mod_security-action: 403
> mod_security-message: Access denied with code 403. Pattern match
> "((alter|create|drop)[[:space:]]+(column|database|procedure|table)| 
> delete[[:
> space:]]+from|update.+set.+=)" at POST_PAYLOAD [id "300015"] [rev  
> "1"] [msg
> "Generic SQL injection protection"] [severity "CRITICAL"]
>
> 510
> action=update_listing&edit=369&title=Altbau-Miete&pclass%5B% 
> 5D=4&featured=no
> &edit_active=yes&mlsexport=no&or_owner=9&notes=&Adresse=Staudgasse&Sta 
> dt=Wie
> n&Postleitzahl=1180&Preis=530&betr_kosten=&miete=&full_desc=Nette 
> +Kleine+Zim
> mer+und+Kabinett+Wohnung%2C+Einbauk%FCche%2C+sehr+ger%E4umig%2C 
> +Fliesenbad%2
> C+Toilette+Etagenheizung.Ruhelage+und+AKH+N% 
> E4he&Zimmer=2&Badezimmer=1&year_
> built=1970&sq_feet=45&status=Aktiv&home_features%5B%5D=Einbauk% 
> FCche&home_fe
> atures%5B%5D=Gasetagenheizung&home_features%5B%5D=Lift
>
> HTTP/1.1 403 Forbidden
> Content-Length: 285
> Keep-Alive: timeout=15, max=89
> Connection: Keep-Alive
> Content-Type: text/html; charset=iso-8859-1
> --6d394431--
>
>
> but in excludes.conf I have added:
>
> # cms_realty
> <LocationMatch "/index.php\?option=com_cmsrealty.*">
> SecFilterRemove 300015
> </LocationMatch>
>
> I don't understand why this is still blocking. What am I doing wrong?
>
> Regards, Cristian
>
>
> --
> Cristian Livadaru
> http://livadaru.net
>
>
>
>
>
>
> _______________________________________________
> Modsecurity mailing list
> Modsecurity at gotroot.com
> http://lists.gotroot.com/mailman/listinfo/modsecurity
>

--
Cristian Livadaru
http://livadaru.net




-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.gotroot.com/pipermail/modsecurity/attachments/20071011/c07c2b42/attachment.html

More information about the Modsecurity mailing list