2 Nov 01:17
Problem at BSN webcast and rule in ModSecurity2_Webcast_Jan2007.pdf.
Danett song <danett18 <at> yahoo.com.br>
2007-11-02 00:17:37 GMT
2007-11-02 00:17:37 GMT
Hi guys,
Today I accessed the BSN and was reading the
documentation called ModSecurity2_Webcast_Jan2007.pdf,
it's really nice. I tried one of the examples showed:
#
Other rules
#
#Blocking users by time
SecDataDir /var/tmp
SecAction initcol:ip=%{REMOTE_ADDR},nolog,pass
SecRule IP:BLOCKED "@gt 0"
SecRule REQUEST_URI "^(/news\.php)"
"chain,pass,log,setvar:ip.score=+15,id:1111,severity:4,msg:'Positive
Model - testing block.'"
SecRule ARGS_NAMES "!^(id)$"
SecRule IP:SCORE "@ge 30"
"setvar:ip.blocked=3600,deprecatevar:ip.blocked=1/1"
#
Other rules
#
However it doesn't work properly, it trigger this
errors in log in EVERY page that I access:
[Thu Nov 01 09:16:22 2007] [error] [client
xxx.xxx.xxx.xxx] ModSecurity: Warning. Operator GT
match: 0. [hostname "localhost"] [uri "/index.htm"]
[unique_id "cv80heCoAUEAAERtAs8AAAbA"]
[Thu Nov 01 09:16:22 2007] [error] [client
xxx.xxx.xxx.xxx] ModSecurity: Warning. Operator GE
match: 30. [hostname "localhost"] [uri "/index.htm"]
[unique_id "cv80heCoAUEAAERtAs8AAAbA"]
[Thu Nov 01 09:16:23 2007] [error] [client
xxx.xxx.xxx.xxx] ModSecurity: Warning. Operator GT
match: 0. [hostname "localhost"] [uri "/favico.ico"]
[unique_id "hfusidhfoowjkf93mfeinefS"]
[Thu Nov 01 09:16:23 2007] [error] [client
xxx.xxx.xxx.xxx] ModSecurity: Warning. Operator GE
match: 30. [hostname "localhost"] [uri "/favico.ico"]
[unique_id "hfusidhfoowjkf93mfeinefS"]
And not only in news.php and where the paramter is not
id.
The other problem is related with ModSecurity 2.0
Webcast, 10 January 2007, when I click in it and
register I get this error:
Invalid Request
This URL is invalid. Please contact the publisher
or your site administrator.
© 2007 Breach Security, Inc. All rights reserved.
Privacy | Terms of Service | Request information about
WebEx services
I tried in IE and Firefox and both failed. :(
Suggestion: Provide this documentation in .pdf,
preferable with copy rights, so we can copy rules more
easy.
Thank you.
Regards,
Abra sua conta no Yahoo! Mail, o único sem limite de espaço para armazenamento!
http://br.mail.yahoo.com/
-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems? Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/
RSS Feed