Hey,
I'm experimenting with a vanilla LAMP server (no control panel). Tripping the WAF is throwing the Apache default page instead of the 403 Forbidden.
I can see the event being logged inside ASL and the IP being block just fine.
Any ideas?
not getting 403 forbidden when WAF is tripped
- mikeshinn
- Atomicorp Staff - Site Admin
- Posts: 4149
- Joined: Thu Feb 07, 2008 7:49 pm
- Location: Chantilly, VA
Re: not getting 403 forbidden when WAF is tripped
Which rule?
Michael Shinn
Atomicorp - Security For Everyone
Atomicorp - Security For Everyone
Re: not getting 403 forbidden when WAF is tripped
Code: Select all
340162 Atomicorp.com WAF Rules: URL detected as argument, possible RFI attempt detected
Another thing, I tried uninstalling ASL recently but it didn't go well. I couldn't even reinstall ASL, instead had to format the server
- mikeshinn
- Atomicorp Staff - Site Admin
- Posts: 4149
- Joined: Thu Feb 07, 2008 7:49 pm
- Location: Chantilly, VA
Re: not getting 403 forbidden when WAF is tripped
I'm not able to reproduce this behavior, the rule specifically sends a 403 error, you can see that in the rule itself:
"phase:2,deny,status:403,capture,id:340162,t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase,chain,rev:300,severity:2,msg:'Atomicorp.com WAF Rules: URL detected as argument, possible RFI attempt detected',logdata:'%TX:0,%{matched_var_name}'"
However, if apache is configured to send something differently, then modsecurity will not over-ride that.
"phase:2,deny,status:403,capture,id:340162,t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase,chain,rev:300,severity:2,msg:'Atomicorp.com WAF Rules: URL detected as argument, possible RFI attempt detected',logdata:'%TX:0,%{matched_var_name}'"
However, if apache is configured to send something differently, then modsecurity will not over-ride that.
Michael Shinn
Atomicorp - Security For Everyone
Atomicorp - Security For Everyone
Re: not getting 403 forbidden when WAF is tripped
Could you tell me where this is configured inside the apache configuration?
- mikeshinn
- Atomicorp Staff - Site Admin
- Posts: 4149
- Joined: Thu Feb 07, 2008 7:49 pm
- Location: Chantilly, VA
Re: not getting 403 forbidden when WAF is tripped
It could be almost anywhere, in a .htaccess file and/or in one or more of your apache configuration file, for example setting custom error responses will do this.
Michael Shinn
Atomicorp - Security For Everyone
Atomicorp - Security For Everyone