You should use the ctl action in your rule to turn off the audit engine - SecRule REQUEST_HEADERS:User-Agent "pingdom" "nolog,noauditlog,pass,ctl:auditEngine=Off"
Due to the fact that the UA data is easily spoofed, I would recommend you also do a check on the IP range or something so that attackers aren't evading your logging by putting pingdom in the UA field. Ryan On Aug 5, 2011, at 12:42 PM, "Gil Vidals" <[email protected]<mailto:[email protected]>> wrote: Need help in preventing the log entry from the monitoring system at <http://pingdom.com> pingdom.com<http://pingdom.com> because there are thousands of these entries per day. No matter, what I try, I can't prevent the entry from being logged. I'm using the anomaly scoring. in modsecurity_crs_48_local_exceptions.conf: SecRule REQUEST_HEADERS:User-Agent "pingdom" "nolog,noauditlog,pass" And after restarting apache, I still am getting these entries: --4489f76b-B-- GET /account/login/?next=/ HTTP/1.0 User-Agent: Pingdom.com<http://Pingdom.com>_bot_version_1.4_(<http://www.pingdom.com/>http://www.pingdom.com/) Host: <http://blah.com> blah.com<http://blah.com> What else do you recommend I try? -- Gil Vidals, VCP <mailto:[email protected]>[email protected]<mailto:[email protected]> <http://www.vmracks.com>www.vmracks.com<http://www.vmracks.com> - VMware Hosting Service Provider t. 760.705.4022 IM: <mailto:[email protected]> [email protected]<mailto:[email protected]> [http://esx-hosting.vm-racks.com/images/VMracks/VMracks-logo.png] HIPAA Compliant Hosting VMware Hosting CONFIDENTIALITY NOTICE: The information contained in this transmission may contain privileged and confidential information. It is intended only for the use of the person(s) named above. If you are not the intended recipient, please contact the sender by reply email and permanently delete the original message. _______________________________________________ Owasp-modsecurity-core-rule-set mailing list [email protected]<mailto:[email protected]> https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set ________________________________ This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. _______________________________________________ Owasp-modsecurity-core-rule-set mailing list [email protected] https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
