'[mod-security-users] strange behaviors with secmarker and skipafter,'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       mod-security-users
Subject:    [mod-security-users] strange behaviors with secmarker and skipafter,
From:       Yi Li <yi.li26 () gmail ! com>
Date:       2011-06-17 17:24:17
Message-ID: BANLkTikYxFmprFc6jTa+4Y=5resySWSbvQ () mail ! gmail ! com
[Download RAW message or body]

[Attachment #2 (multipart/alternative)]


I placed a few rules in a block inside SecMarker, which can be skipped with
'skipAfter' operator, if the skipAfter rule matches

The skipAfter does not work as I wished and the result is really
interesting.

any help would be appreciated.

here is what I find:

1. the skipAfter is triggered, but the rule inside the 'SecMarker'is still
evaluated.

2. the log message from the rule inside in the secmarker is before the log
message from the skipAfter rule.
   does it suggest that the engine evaluate the rule inside the secmarker
first?
   please note that the skipAfter rule is placed before the rule inside
secMarker.

here is the log messages inside audit.log

--ee2d1c1a-H--
Message: Warning. Pattern match "^10\.161\.2\.49$" at REMOTE_ADDR. [file
"/opt/modsecurity/conf/modsecurity_crs_15_customrules.conf"] [line "10"]
[msg "ip block"] [data "/webapp/wcs/stores/servlet/urlxx"]
Message: Warning. Match of "contains
url001,phase:1,skipAfter:AFTER_GEO_IP_CHECK,pass,msg:'skip
geoip',logdata:'%{REQUEST_FILENAME}',ctl:debugLogLevel=9" against
"REQUEST_FILENAME" required. [file
"/opt/modsecurity/conf/modsecurity_crs_15_customrules.conf"] [line "5"]

here is the rules:


SecRule REQUEST_FILENAME "!@contains
url01,phase:1,skipAfter:AFTER_GEO_IP_CHECK,pass,msg:'skip
geoip',logdata:'%{REQUEST_FILENAME}',ctl:debugLogLevel=9"

SecMarker GEO_IP_CHECK

SecRule REMOTE_ADDR "^10\.128\.76\.50$" "phase:1,drop,msg:'ip
block',logdata:'%{REQUEST_FILENAME}'"
SecRule REMOTE_ADDR "^10\.161\.2\.49$" "phase:1,pass,msg:'ip
block',logdata:'%{REQUEST_FILENAME}'"

## GeoIP blocking urles

SecMarker AFTER_GEO_IP_CHECK

[Attachment #5 (text/html)]

<br><div><div>I placed a few rules in a block inside SecMarker, which can be skipped \
with &#39;skipAfter&#39; operator, if the skipAfter rule \
matches</div><div><br></div><div>The skipAfter does not work as I wished and the \
result is really interesting.</div> <div><br></div><div>any help would be \
appreciated.</div><div><br></div><div>here is what I find: \
</div><div><br></div><div><span class="Apple-style-span" style="background-color: \
rgb(255, 204, 102);">1. the skipAfter is triggered, but the rule inside the \
&#39;SecMarker&#39;is still evaluated. </span></div> <div><br></div><div><span \
class="Apple-style-span" style="background-color: rgb(255, 255, 0);">2. the log \
message from the rule inside in the secmarker is before the log message from the \
skipAfter rule.</span></div><div><span class="Apple-style-span" \
style="background-color: rgb(255, 255, 0);">   does it suggest that the engine \
evaluate the rule inside the secmarker first? </span></div> <div><span \
class="Apple-style-span" style="background-color: rgb(255, 255, 0);">   please note \
that the skipAfter rule is placed before the rule inside \
secMarker.</span></div></div><div><br></div><div><div><span class="Apple-style-span" \
style="background-color: rgb(255, 255, 102);">here is the log messages inside \
audit.log</span></div> <div><br></div><div>--ee2d1c1a-H--</div><div>Message: Warning. \
Pattern match &quot;^10\.161\.2\.49$&quot; at REMOTE_ADDR. [file \
&quot;/opt/modsecurity/conf/modsecurity_crs_15_customrules.conf&quot;] [line \
&quot;10&quot;] [msg &quot;ip block&quot;] [data \
&quot;/webapp/wcs/stores/servlet/urlxx&quot;]</div> <div>Message: Warning. Match of \
&quot;contains url001,phase:1,skipAfter:AFTER_GEO_IP_CHECK,pass,msg:&#39;skip \
geoip&#39;,logdata:&#39;%{REQUEST_FILENAME}&#39;,ctl:debugLogLevel=9&quot; against \
&quot;REQUEST_FILENAME&quot; required. [file \
&quot;/opt/modsecurity/conf/modsecurity_crs_15_customrules.conf&quot;] [line \
&quot;5&quot;]</div> </div><div><br></div><div><div><span class="Apple-style-span" \
style="background-color: rgb(255, 255, 0);">here is the rules: \
</span></div><div><br></div><div><br></div><div>SecRule REQUEST_FILENAME \
&quot;!@contains url01,phase:1,skipAfter:AFTER_GEO_IP_CHECK,pass,msg:&#39;skip \
geoip&#39;,logdata:&#39;%{REQUEST_FILENAME}&#39;,ctl:debugLogLevel=9&quot;</div> \
<div><br></div><div>SecMarker GEO_IP_CHECK</div><div><br></div><div>SecRule \
REMOTE_ADDR &quot;^10\.128\.76\.50$&quot; &quot;phase:1,drop,msg:&#39;ip \
block&#39;,logdata:&#39;%{REQUEST_FILENAME}&#39;&quot;</div><div>SecRule REMOTE_ADDR \
&quot;^10\.161\.2\.49$&quot; &quot;phase:1,pass,msg:&#39;ip \
block&#39;,logdata:&#39;%{REQUEST_FILENAME}&#39;&quot;</div> <div><br></div><div>## \
GeoIP blocking urles </div><div><br></div><div>SecMarker \
AFTER_GEO_IP_CHECK</div></div><div><br></div><div><br></div><div><br></div><div><br></div>




------------------------------------------------------------------------------
EditLive Enterprise is the world's most technically advanced content
authoring tool. Experience the power of Track Changes, Inline Image
Editing and ensure content is compliant with Accessibility Checking.
http://p.sf.net/sfu/ephox-dev2dev

_______________________________________________
mod-security-users mailing list
mod-security-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
ModSecurity Services from Trustwave's SpiderLabs:
https://www.trustwave.com/spiderLabs.php


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic