Hi Everyone,

I'm having problems creating deny rules for the following kind of requests:

PROPFIND   /   HTTP/1.1
Depth: 0
translate: f
User-Agent: Microsoft-WebDAV-MiniRedir/5.1.2600

I want to create rules to deny and block anything with PROPFIND as the method or "translate: f" in the headers.  This is what I have currently in my modsecurity_crs_15_customrules.conf but its not working:

SecRule REQUEST_METHOD propfind "phase:1,deny,nolog"
SecRule REQUEST_HEADERS_NAMES:translate ^f$ "phase:1,deny,nolog"

I've tried variations like capitalizing PROPFIND, putting it in quotes "PROPFIND", using the start and end characters ^propfind$. These rules still keep getting triggered and I get alerts in my console. 
Any ideas? 

Thanks!
-- -- Vince | Michael Smith Laboratories Systems Network Manager | University of British Columbia

-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/

_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users