I use mod_security with the latest basic rules.
It runs on all my pages whenever I use querystring .. ie.
www.mypage.com/index.php?querystring=1
I get a warning about exceeding the maximum number of arguments, however, the basic configuration defines max_numb_args to = 255, which, of course, does not exceed.
Any ideas why?
Base conf:
SecRuleEngine on
SecAuditEngine RelevantOnly
SecAuditLog / var / log / apache2 / modsec_audit.log
SecDebugLog / var / log / apache2 / modsec_debug_log
SecDebugLogLevel 3
SecDefaultAction ": 2, pass, log, status: 500"
127E_DR.0.1 REM_REM.1.1 REM_REM.1_REM.0 allow SecRequestBodyAccess on
SecResponseBodyAccess
SecResponseBodyMimeType (null) text / the html text / plain text / the xml
SecResponseBodyLimit 2,621,440
SecServerSignature the Apache
SecUploadDir / tmp
SecUploadKeepFiles Off
SecAuditLogParts ABIFHZ
SecArgumentSeparator "&"
SecCookieFormat 0
SecRequestBodyInMemoryLimit 131072
SecDataDir / tmp
SecTmpDir / tmp
SecAuditLogStorageDir / var / log / apache2 / audit
SecResponseBodyLimitAction ProcessPartial
SecAction ": 1, t: no, nolog, pass, setvar: tx.max_num_args = 255"
The rule that runs:
SecRule &TX:MAX_NUM_ARGS "@eq 1" "chain,phase:2,t:none,pass,nolog,auditlog,msg:'Maximum number of arguments in request reached',id:'960335',severity:'4',rev:'2.0.7'"
SecRule &ARGS "@gt %{tx.max_num_args}" "t:none,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.policy_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-POLICY/SIZE_LIMIT-%{matched_var_name}=%{matched_var}"
And log output:
- ad5dc005-C-- QueryString = 2 --ad5dc005-F-- HTTP / 1.1 200 OK
X-Powered-By: PHP / 5.3
Expires: Thu, November 19, 1981 08:52:00 GMT
Cache-Control: no -store, no-cache, must-revalidate, post-check = 0, pre-check = 0
Pragma: no-cache
Set-Cookie: SESSION = ak19oq36gpi94rco2qbi6j2k20; Path = /
Vary: Accept-Encoding
Content Encoding: gzip
Content Length: 1272
Keep-Alive: timeout = 15, max = 99
Connection: Keep-Alive
Content-Type: text / html; charset = utf-8
- ad5dc005--
: Operator GT 0 ARGS. [ "/etc/apache2/conf/modsecurity_crs/base_rules/modsecurity_crs_23_request_limits.conf" ] [ "30" ] [id "960335" ] [rev "2.0.7" ] [msg " " ] [ "" ]
: GE 0 TX: anomaly_score. [ "/etc/apache2/conf/modsecurity_crs/base_rules/modsecurity_crs_49_inbound_blocking.conf" ] [ "18" ] [msg " ( : 5, SQLi =, XSS =): " ]
: . GE 0 TX: inbound_anomaly_score. [file "/etc/apache2/conf/modsecurity_crs/base_rules/modsecurity_crs_60_correlation.conf" ] [ "35" ] [msg " ( : 5, SQLi =, XSS =): " ]
Apache-Handler: application/x-httpd-php
: 1279667800315092 76979 (1546 * 7522 72931)
: ModSeurity Apache/2.5.11 (http://www.modsecurity.org/); /2.0.7. : Apache