Thanks for the response. There must be something deeper going on here because even after adding the line you suggested, I'm still getting these entries after restarting apache:
--c073772f-B-- GET /account/login/?next=/ HTTP/1.0 User-Agent: Pingdom.com_bot_version_1.4_(http://www.pingdom.com/) Host: blah.com Why isn't this rule being applied as I thought. Is it time to turn on mod sec debugging? SecRule REQUEST_HEADERS:User-Agent "pingdom" "nolog,noauditlog,pass,ctl:auditEngine=Off" Gil Vidals / VM Racks On Fri, Aug 5, 2011 at 1:02 PM, Ryan Barnett <[email protected]> wrote: > You should use the ctl action in your rule to turn off the audit engine - > > SecRule REQUEST_HEADERS:User-Agent "pingdom" > "nolog,noauditlog,pass,ctl:auditEngine=Off" > > Due to the fact that the UA data is easily spoofed, I would recommend you > also do a check on the IP range or something so that attackers aren't > evading your logging by putting pingdom in the UA field. > > Ryan > > On Aug 5, 2011, at 12:42 PM, "Gil Vidals" <[email protected]<mailto: > [email protected]>> wrote: > > Need help in preventing the log entry from the monitoring system at < > http://pingdom.com> pingdom.com<http://pingdom.com> because there are > thousands of these entries per day. No matter, what I try, I can't prevent > the entry from being logged. I'm using the anomaly scoring. > > in modsecurity_crs_48_local_exceptions.conf: > SecRule REQUEST_HEADERS:User-Agent "pingdom" "nolog,noauditlog,pass" > > And after restarting apache, I still am getting these entries: > > --4489f76b-B-- > GET /account/login/?next=/ HTTP/1.0 > User-Agent: Pingdom.com<http://Pingdom.com>_bot_version_1.4_(< > http://www.pingdom.com/>http://www.pingdom.com/) > Host: <http://blah.com> blah.com<http://blah.com> > > What else do you recommend I try? > > -- > Gil Vidals, VCP > <mailto:[email protected]>[email protected]<mailto:[email protected] > > > <http://www.vmracks.com>www.vmracks.com<http://www.vmracks.com> - VMware > Hosting Service Provider > t. 760.705.4022 IM: <mailto:[email protected]> [email protected] > <mailto:[email protected]> > [http://esx-hosting.vm-racks.com/images/VMracks/VMracks-logo.png] > HIPAA Compliant Hosting > VMware Hosting > > CONFIDENTIALITY NOTICE: The information contained in this transmission may > contain privileged and confidential information. It is intended only for > the use of the person(s) named above. If you are not the intended > recipient, please contact the sender by reply email and permanently delete > the original message. > > _______________________________________________ > Owasp-modsecurity-core-rule-set mailing list > [email protected]<mailto: > [email protected]> > https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set > > ________________________________ > This transmission may contain information that is privileged, confidential, > and/or exempt from disclosure under applicable law. If you are not the > intended recipient, you are hereby notified that any disclosure, copying, > distribution, or use of the information contained herein (including any > reliance thereon) is STRICTLY PROHIBITED. If you received this transmission > in error, please immediately contact the sender and destroy the material in > its entirety, whether in electronic or hard copy format. > -- Gil Vidals, VCP [email protected] www.vmracks.com - VMware Hosting Service Provider t. 760.705.4022 IM: [email protected] HIPAA Compliant Hosting VMware Hosting CONFIDENTIALITY NOTICE: The information contained in this transmission may contain privileged and confidential information. It is intended only for the use of the person(s) named above. If you are not the intended recipient, please contact the sender by reply email and permanently delete the original message.
_______________________________________________ Owasp-modsecurity-core-rule-set mailing list [email protected] https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
