not getting 403 forbidden when WAF is tripped

[imadsani]

Hey,

I'm experimenting with a vanilla LAMP server (no control panel). Tripping the WAF is throwing the Apache default page instead of the 403 Forbidden.
I can see the event being logged inside ASL and the IP being block just fine.

Any ideas?

[mikeshinn]

Which rule?

[imadsani]

Code: Select all

340162	Atomicorp.com WAF Rules: URL detected as argument, possible RFI attempt detected

On older ASL versions the above has generated the 403 Forbidden page

Another thing, I tried uninstalling ASL recently but it didn't go well. I couldn't even reinstall ASL, instead had to format the server

[mikeshinn]

I'm not able to reproduce this behavior, the rule specifically sends a 403 error, you can see that in the rule itself:

"phase:2,deny,status:403,capture,id:340162,t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase,chain,rev:300,severity:2,msg:'Atomicorp.com WAF Rules: URL detected as argument, possible RFI attempt detected',logdata:'%TX:0,%{matched_var_name}'"

However, if apache is configured to send something differently, then modsecurity will not over-ride that.

[imadsani]

Could you tell me where this is configured inside the apache configuration?

[mikeshinn]

It could be almost anywhere, in a .htaccess file and/or in one or more of your apache configuration file, for example setting custom error responses will do this.