martinhsv

Hi @LoZio , The content: The warning not to use ModSecurity-apache is not just about one specific bug or functionality gap, but a more overall warning that it is not...

As mentioned in other issues, the ModSecurity-apache connector for use with ModSecurity v3 is not ready for production use. With Apache, the recommendation is to use ModSecurity v2.9.

Hello @Devstellar , I just thought I should highlight that no one on the core ModSecurity team has any time allocated to working on ModSecurity-apache. The ModSecurity version recommended for...

Apologies to those in the community feeling vexed about slow/no responses in this repo's issues. (Personally, since joining the team, it simply didn't occur to me to register for notifications...

Hello @M4tteoP , I'm open to revisiting some of these try/catch usages. Many of the existing usages aren't the highest-value usages of try/catch anyway. On the other hand, if we're...

This is not ideal behaviour. As the OP notes, intentionally giving away which WAF is protecting a site can give a malicious actor an advantage. The two most obvious approaches...

Hello @wanderer22 Is this still an issue? If so, I'm afraid you're going to have to indulge me and provide a more detailed explanation of the issue. For example, I'm...

Hi @amorozkin , I'll first confirm your observation: in ModSecurity v3, part E logging can indeed occur even when SecResponseBodyAccess is Off. The message that you are seeing ('Response body...

Hi @studersi , Is the information that you need present in the ModSecurity audit log? If so, you could consider using that as your full data source.

There is a size limit set within ModSecurity 2.x code that impacts how much data can be written to Apache's error.log file. (It may be that this limiting factor was...