mod_security: is the page supposed to load?

mod_security: block web proxy from running?

Hi,

I installed mod_security 2, added a simple test:

SecRule REQUEST_URI "attack"

then visited a site on the server with ?attack after the URL, I then checked the log at /etc/http/logs/modsec_audit_log...

It shows up in the log, but yet the request isn't blocked or anything, I can still visit the URL with ?attack in it. Is this normal?

 

Nevermind, I figured out it has to do with phases. However I'm still somewhat confused about how they work, is the request still blocked?

If I put it in phase:3, I get a white page, and nothing in the logs, but it does block the request. Does phase:2 (default) still deny the request but load the page as usual?

 

Really what I'm trying to do is block web proxies from running...Sure I can set:

SecRule REQUEST_URI "q="

This blocks one of the scripts that I see running, because it uses http://www.proxy.com/?q=LONG-HASH-STRING-HERE

But nothings to say they can't change the q= to another letter, and it would work again. I'm wondering if theres a more concrete way to stop any proxies from running. I know you can disable http requests in the URI (incase it was ?q=http://www.domainwantedtovisitbehindproxy.com), but it doesn't work when the script is running the URL with a bunch of random letters & numbers

Is there a way to decode the string, so that it sees the http:// instead of letters and numbers?

 

Well I'm using this for now:

SecRule REQUEST_URI "\?[a-zA-Z0-9]=[a-zA-Z0-9]{10}"

It seems to block it out. Let me know if anyone has any better way of doing this!

EDIT: After too many false positives, I've resorted back to the [qu] option, still don't like it though, because they can change the letter in the script:

Still happy to hear if anyone has anything better though!