Blog

Modsec: no ID in error message

If you are receiving a modsec error in the apache error log;

[Wed Feb 10 02:02:32 2010] [error] [client 192.168.0.1] ModSecurity:
Access denied with code 500 (phase 2).
Pattern match "\\.php\\?.*loc=(http|https|ftp)\\:\\/" at REQUEST_URI.
[file "/usr/local/apache/conf/modsec2.user.conf"] [line "302"]
[hostname "domain.com"] [uri "/folder/file.php"]
[unique_id "S3JaCEPjyqQAAAOO2foAAAAY"]

and it does not give an ID number allowing you to whitelist the rule by ID as usual;


SecRuleRemoveById 300162 300163 300170


You can use the SecRuleRemoveByMsg instead to allow the addition of the rule to the whitelist


SecRuleRemoveByMsg "\.php\?.*loc=(http|https|ftp)\:\/"

g33kadmin

I am a g33k, Linux blogger, developer, student and Tech Writer for Liquidweb.com/kb. My passion for all things tech drives my hunt for all the coolz. I often need a vacation after I get back from vacation....

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.