Tengo una configuración ModSecurity clásica (apt-get ...)
SecRuleEngine Off
SecPcreMatchLimit 1000
SecPcreMatchLimitRecursion 1000
SecAction "phase:1,t:none,nolog,pass, \
setvar:'tx.allowed_methods=GET HEAD POST OPTIONS', \
setvar:'tx.allowed_request_content_type=application/x-www-form-urlencoded multipart/form-data text/xml application/xml application/x-amf', \
setvar:'tx.allowed_http_versions=HTTP/0.9 HTTP/1.0 HTTP/1.1', \
setvar:'tx.restricted_extensions=.asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .resources/ .resx/ .sql/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/', \
setvar:'tx.restricted_headers=/Proxy-Connection/ /Lock-Token/ /Content-Range/ /Translate/ /via/ /if/'"
Y me sale este error:
--70244300-A--
[04/Jun/2014:17:14:29 +0200] U4831X8AAAEAAFDVH5IAAAAS X.X.X.X 58274 Y.Y.Y.Y 80
--70244300-B--
GET /images/login_bg.jpg HTTP/1.1
Host: myHost.local
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:29.0) Gecko/20100101 Firefox/29.0
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Referer: http://myHost.local/css/main.css
Cookie: symfony=9a09bb2c53df046aae0ed80c501c9585
Connection: keep-alive
--70244300-F--
HTTP/1.1 200 OK
Last-Modified: Wed, 05 Nov 2008 14:54:40 GMT
Accept-Ranges: bytes
Content-Length: 31429
Content-Type: image/jpeg
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
X-Frame-Options: sameorigin
Connection: close
--70244300-E--
--70244300-H--
Message: Rule 7f36b7b712b0 [id "950901"][file "/etc/modsecurity/modsecurity_crs_41_sql_injection_attacks.conf"][line "77"] - Execution error - PCRE limits exceeded (-8): (null).
Apache-Handler: proxy-server
Stopwatch: 1401894869729902 23796 (- - -)
Stopwatch2: 1401894869729902 23796; combined=9162, p1=144, p2=8864, p3=3, p4=82, p5=67, sr=0, sw=2, l=0, gc=0
Response-Body-Transformed: Dechunked
Producer: ModSecurity for Apache/2.6.6 (http://www.modsecurity.org/).
Server: Apache
--70244300-Z--
La extraña regla:
#
# -=[ SQL Tautologies ]=-
#
SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "(?i:([\s'\"'´’‘\(\)]*)?([\d\w]+)([\s'\"'´’‘\(\)]*)?(?:=|<=>|r?like|sounds\s+like|regexp)([\s'\"'´’‘\(\)]*)?|([\s'\"'´’‘\(\)]*)?([\d\w]+)([\s'\"'´’‘\(\)]*)?(?:!=|<=|>=|<>|<|>|\^|is\s+not|not\s+like|not\s+regexp)([\s'\"'´’‘\(\)]*)?(?!)([\d\w]+))" \
"phase:2, \
rev:'2.2.5', \
capture, \
multiMatch, \
t:none, \
t:urlDecodeUni, \
t:replaceComments, \
ctl:auditLogParts=+E, \
block, \
msg:'SQL Injection Attack', \
id:'950901', \
logdata:'%{TX.0}', \
severity:'2', \
tag:'WEB_ATTACK/SQL_INJECTION', \
tag:'WASCTC/WASC-19', \
tag:'OWASP_TOP_10/A1', \
tag:'OWASP_AppSensor/CIE1', \
tag:'PCI/6.5.2', \
setvar:'tx.msg=%{rule.msg}', \
setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score}, \
setvar:tx.anomaly_score=+%{tx.critical_anomaly_score}, \
setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}"
Recibo este error para cada solicitud ... ¿Por qué??
EDITAR:
Mi SecRuleEngine
es Off
en mi configuración global, PERO está configurado en DetectionOnly
foreach VHOST.