mod-security not triggering

To: Debian User List <debian-user@lists.debian.org>
Subject: mod-security not triggering
From: "Todd A. Jacobs" <nospam@codegnome.org>
Date: Sat, 4 Apr 2009 19:22:01 -0700
Message-id: <[🔎] 20090405022200.GX29876@penguin.codegnome.org>
Mail-followup-to: debian-user@lists.debian.org

I've recently upgraded a Debian box from Apache 1.3 to 2.x, which also
forced me to move over to the new mod-security 2.x packages as well. I
tried to port over some of my rules from 1.x, even though the new syntax
took some conversion. None of my rules seem to be triggering, though,
and I'm not sure how to debug the setup.

I'm including rules from conf.d with:

    SecRuleEngine On
    SecRequestBodyAccess On
    # snipped for brevity
    Include /etc/apache2/modsecurity/*.conf

and have the following:

    SecRule ARGS "root|tjacobs|www-data|apache|httpd" "log,deny,t:none,t:htmlEntityDecode,t:lowercase"
    SecRule ARGS "\.\." "log,deny,t:none,t:htmlEntityDecode,t:lowercase"
    SecRule ARGS "/etc/passwd" "log,deny,t:none,t:htmlEntityDecode,t:lowercase"
    SecRule ARGS "/etc/shadow" "log,deny,t:none,t:htmlEntityDecode,t:lowercase"
    SecRule ARGS "/(\.|.*(~|\.(bak|inc|tmp)|,v)|RCS)" "log,deny,t:none,t:htmlEntityDecode,t:lowercase"
    SecRule ARGS "/(bin|sbin|lib|home|tmp|var|boot|etc|usr|root|mnt|proc|sys|dev)\/""log,deny,t:none,t:htmlEntityDecode,t:lowercase"

However, none of the rules appear to trigger, or to log anywhere. Am I
missing something obvious? How do I debug this further?

-- 
"Oh, look: rocks!"
	-- Doctor Who, "Destiny of the Daleks"

Reply to:

Follow-Ups:
- Re: mod-security not triggering
  - From: "Todd A. Jacobs" <nospam@codegnome.org>

Prev by Date: rebuilding raided root partition
Next by Date: Re: youtube videos choppy in Testing and Iceape
Previous by thread: Re: rebuilding raided root partition
Next by thread: Re: mod-security not triggering
Index(es):
- Date
- Thread