Hi Gil, Can you show us the complete audit event that still shows up in your logs?
-- - Josh On Tue, Aug 9, 2011 at 8:35 AM, Gil Vidals <[email protected]> wrote: > Changing pass to allow didn't help. > > I forgot to mention mod sec is operating under DetectionOnly mode for the > time being. The debug log shows that the pattern does match, but there is > still an audit log entry being made for "pingdom"! > > Here is the output of the debug log: > > [08/Aug/2011:21:51:24 --0700] [ > www.commq.org/sid#7fe3411dd3e0][rid#7fe341733ca0][/][5<http://www.commq.org/sid#7fe3411dd3e0][rid%237fe341733ca0%5D%5B/%5D%5B5>] > Rule 7fe340b17a40: SecRule "REQUEST_HEADERS:User-Agent" "@rx pingdom" > "phase:2,nolog,noauditlog,pass,ctl:auditEngine=Off" > [08/Aug/2011:21:51:24 --0700] [ > www.commq.org/sid#7fe3411dd3e0][rid#7fe341733ca0][/][4<http://www.commq.org/sid#7fe3411dd3e0][rid%237fe341733ca0%5D%5B/%5D%5B4>] > Executing operator "rx" with param "pingdom" against > REQUEST_HEADERS:User-Agent. > [08/Aug/2011:21:51:24 --0700] [ > www.commq.org/sid#7fe3411dd3e0][rid#7fe341733ca0][/][4<http://www.commq.org/sid#7fe3411dd3e0][rid%237fe341733ca0%5D%5B/%5D%5B4>] > Warning. Pattern match "pingdom" at REQUEST_HEADERS:User-Agent. [file > "/etc/apache2/modsecurity.d/base_rules/modsecurity_crs_48_local_exceptions.conf"] > [line "69"] > > On Sat, Aug 6, 2011 at 12:06 PM, Josh Amishav-Zlatin <[email protected]>wrote: > >> What happens if you use allow instead of pass? Can you see what rules are >> firing in the debug log? >> >> -- >> - Josh >> >> >> On Sat, Aug 6, 2011 at 12:09 AM, Gil Vidals <[email protected]> wrote: >> >>> Thanks for the response. There must be something deeper going on here >>> because even after adding the line you suggested, I'm still getting these >>> entries after restarting apache: >>> >>> --c073772f-B-- >>> GET /account/login/?next=/ HTTP/1.0 >>> User-Agent: Pingdom.com_bot_version_1.4_(http://www.pingdom.com/) >>> Host: blah.com >>> >>> Why isn't this rule being applied as I thought. Is it time to turn on mod >>> sec debugging? >>> SecRule REQUEST_HEADERS:User-Agent "pingdom" >>> "nolog,noauditlog,pass,ctl:auditEngine=Off" >>> >>> >>> Gil Vidals / VM Racks >>> >>> On Fri, Aug 5, 2011 at 1:02 PM, Ryan Barnett <[email protected]>wrote: >>> >>>> You should use the ctl action in your rule to turn off the audit engine >>>> - >>>> >>>> SecRule REQUEST_HEADERS:User-Agent "pingdom" >>>> "nolog,noauditlog,pass,ctl:auditEngine=Off" >>>> >>>> Due to the fact that the UA data is easily spoofed, I would recommend >>>> you also do a check on the IP range or something so that attackers aren't >>>> evading your logging by putting pingdom in the UA field. >>>> >>>> Ryan >>>> >>>> On Aug 5, 2011, at 12:42 PM, "Gil Vidals" <[email protected]<mailto: >>>> [email protected]>> wrote: >>>> >>>> Need help in preventing the log entry from the monitoring system at < >>>> http://pingdom.com> pingdom.com<http://pingdom.com> because there are >>>> thousands of these entries per day. No matter, what I try, I can't prevent >>>> the entry from being logged. I'm using the anomaly scoring. >>>> >>>> in modsecurity_crs_48_local_exceptions.conf: >>>> SecRule REQUEST_HEADERS:User-Agent "pingdom" "nolog,noauditlog,pass" >>>> >>>> And after restarting apache, I still am getting these entries: >>>> >>>> --4489f76b-B-- >>>> GET /account/login/?next=/ HTTP/1.0 >>>> User-Agent: Pingdom.com<http://Pingdom.com>_bot_version_1.4_(< >>>> http://www.pingdom.com/>http://www.pingdom.com/) >>>> Host: <http://blah.com> blah.com<http://blah.com> >>>> >>>> What else do you recommend I try? >>>> >>>> -- >>>> Gil Vidals, VCP >>>> <mailto:[email protected]>[email protected]<mailto: >>>> [email protected]> >>>> <http://www.vmracks.com>www.vmracks.com<http://www.vmracks.com> - >>>> VMware Hosting Service Provider >>>> t. 760.705.4022 IM: <mailto:[email protected]> >>>> [email protected]<mailto:[email protected]> >>>> [http://esx-hosting.vm-racks.com/images/VMracks/VMracks-logo.png] >>>> HIPAA Compliant Hosting >>>> VMware Hosting >>>> >>>> CONFIDENTIALITY NOTICE: The information contained in this transmission >>>> may contain privileged and confidential information. It is intended only >>>> for the use of the person(s) named above. If you are not the intended >>>> recipient, please contact the sender by reply email and permanently delete >>>> the original message. >>>> >>>> _______________________________________________ >>>> Owasp-modsecurity-core-rule-set mailing list >>>> [email protected]<mailto: >>>> [email protected]> >>>> https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set >>>> >>>> ________________________________ >>>> This transmission may contain information that is privileged, >>>> confidential, and/or exempt from disclosure under applicable law. If you >>>> are >>>> not the intended recipient, you are hereby notified that any disclosure, >>>> copying, distribution, or use of the information contained herein >>>> (including >>>> any reliance thereon) is STRICTLY PROHIBITED. If you received this >>>> transmission in error, please immediately contact the sender and destroy >>>> the >>>> material in its entirety, whether in electronic or hard copy format. >>>> >>> >>> >>> >>> -- >>> Gil Vidals, VCP >>> [email protected] >>> www.vmracks.com - VMware Hosting Service Provider >>> t. 760.705.4022 IM: [email protected] >>> >>> HIPAA Compliant Hosting >>> VMware Hosting >>> >>> CONFIDENTIALITY NOTICE: The information contained in this transmission >>> may contain privileged and confidential information. It is intended only >>> for the use of the person(s) named above. If you are not the intended >>> recipient, please contact the sender by reply email and permanently delete >>> the original message. >>> >>> >>> _______________________________________________ >>> Owasp-modsecurity-core-rule-set mailing list >>> [email protected] >>> https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set >>> >>> >> > > > -- > Gil Vidals, VCP > [email protected] > www.vmracks.com - VMware Hosting Service Provider > t. 760.705.4022 IM: [email protected] > > HIPAA Compliant Hosting > VMware Hosting > > CONFIDENTIALITY NOTICE: The information contained in this transmission may > contain privileged and confidential information. It is intended only for > the use of the person(s) named above. If you are not the intended > recipient, please contact the sender by reply email and permanently delete > the original message. > > > _______________________________________________ > Owasp-modsecurity-core-rule-set mailing list > [email protected] > https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set > >
_______________________________________________ Owasp-modsecurity-core-rule-set mailing list [email protected] https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
