Looks like you put this rule in your 48 local exceptions file. I would suggest you put it in a modsecurity_crs_15_customrules.conf file and change the phase to 1 (phase:1). This will ensure your rule runs before the current rule that is triggering the alert.
-Ryan From: Gil Vidals <[email protected]<mailto:[email protected]>> Date: Tue, 9 Aug 2011 00:35:45 -0500 To: "[email protected]<mailto:[email protected]>" <[email protected]<mailto:[email protected]>> Subject: Re: [Owasp-modsecurity-core-rule-set] help with preventing entries to audit log Changing pass to allow didn't help. I forgot to mention mod sec is operating under DetectionOnly mode for the time being. The debug log shows that the pattern does match, but there is still an audit log entry being made for "pingdom"! Here is the output of the debug log: [08/Aug/2011:21:51:24 --0700] [www.commq.org/sid#7fe3411dd3e0][rid#7fe341733ca0][/][5<http://www.commq.org/sid#7fe3411dd3e0][rid#7fe341733ca0][/][5>] Rule 7fe340b17a40: SecRule "REQUEST_HEADERS:User-Agent" "@rx pingdom" "phase:2,nolog,noauditlog,pass,ctl:auditEngine=Off" [08/Aug/2011:21:51:24 --0700] [www.commq.org/sid#7fe3411dd3e0][rid#7fe341733ca0][/][4<http://www.commq.org/sid#7fe3411dd3e0][rid#7fe341733ca0][/][4>] Executing operator "rx" with param "pingdom" against REQUEST_HEADERS:User-Agent. [08/Aug/2011:21:51:24 --0700] [www.commq.org/sid#7fe3411dd3e0][rid#7fe341733ca0][/][4<http://www.commq.org/sid#7fe3411dd3e0][rid#7fe341733ca0][/][4>] Warning. Pattern match "pingdom" at REQUEST_HEADERS:User-Agent. [file "/etc/apache2/modsecurity.d/base_rules/modsecurity_crs_48_local_exceptions.conf"] [line "69"] On Sat, Aug 6, 2011 at 12:06 PM, Josh Amishav-Zlatin <[email protected]<mailto:[email protected]>> wrote: What happens if you use allow instead of pass? Can you see what rules are firing in the debug log? -- - Josh On Sat, Aug 6, 2011 at 12:09 AM, Gil Vidals <[email protected]<mailto:[email protected]>> wrote: Thanks for the response. There must be something deeper going on here because even after adding the line you suggested, I'm still getting these entries after restarting apache: --c073772f-B-- GET /account/login/?next=/ HTTP/1.0 User-Agent: Pingdom.com_bot_version_1.4_(http://www.pingdom.com/) Host: blah.com<http://blah.com> Why isn't this rule being applied as I thought. Is it time to turn on mod sec debugging? SecRule REQUEST_HEADERS:User-Agent "pingdom" "nolog,noauditlog,pass,ctl:auditEngine=Off" Gil Vidals / VM Racks On Fri, Aug 5, 2011 at 1:02 PM, Ryan Barnett <[email protected]<mailto:[email protected]>> wrote: You should use the ctl action in your rule to turn off the audit engine - SecRule REQUEST_HEADERS:User-Agent "pingdom" "nolog,noauditlog,pass,ctl:auditEngine=Off" Due to the fact that the UA data is easily spoofed, I would recommend you also do a check on the IP range or something so that attackers aren't evading your logging by putting pingdom in the UA field. Ryan On Aug 5, 2011, at 12:42 PM, "Gil Vidals" <[email protected]<mailto:[email protected]><mailto:[email protected]<mailto:[email protected]>>> wrote: Need help in preventing the log entry from the monitoring system at <http://pingdom.com> pingdom.com<http://pingdom.com><http://pingdom.com> because there are thousands of these entries per day. No matter, what I try, I can't prevent the entry from being logged. I'm using the anomaly scoring. in modsecurity_crs_48_local_exceptions.conf: SecRule REQUEST_HEADERS:User-Agent "pingdom" "nolog,noauditlog,pass" And after restarting apache, I still am getting these entries: --4489f76b-B-- GET /account/login/?next=/ HTTP/1.0 User-Agent: Pingdom.com<http://Pingdom.com>_bot_version_1.4_(<http://www.pingdom.com/>http://www.pingdom.com/) Host: <http://blah.com> blah.com<http://blah.com><http://blah.com> What else do you recommend I try? -- Gil Vidals, VCP <mailto:[email protected]<mailto:[email protected]>>[email protected]<mailto:[email protected]><mailto:[email protected]<mailto:[email protected]>> <http://www.vmracks.com>www.vmracks.com<http://www.vmracks.com><http://www.vmracks.com> - VMware Hosting Service Provider t. 760.705.4022<tel:760.705.4022> IM: <mailto:[email protected]<mailto:[email protected]>> [email protected]<mailto:[email protected]><mailto:[email protected]<mailto:[email protected]>> [http://esx-hosting.vm-racks.com/images/VMracks/VMracks-logo.png] HIPAA Compliant Hosting VMware Hosting CONFIDENTIALITY NOTICE: The information contained in this transmission may contain privileged and confidential information. It is intended only for the use of the person(s) named above. If you are not the intended recipient, please contact the sender by reply email and permanently delete the original message. _______________________________________________ Owasp-modsecurity-core-rule-set mailing list [email protected]<mailto:[email protected]><mailto:[email protected]<mailto:[email protected]>> https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set ________________________________ This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. -- Gil Vidals, VCP [email protected]<mailto:[email protected]> www.vmracks.com<http://www.vmracks.com> - VMware Hosting Service Provider t. 760.705.4022<tel:760.705.4022> IM: [email protected]<mailto:[email protected]> HIPAA Compliant Hosting VMware Hosting CONFIDENTIALITY NOTICE: The information contained in this transmission may contain privileged and confidential information. It is intended only for the use of the person(s) named above. If you are not the intended recipient, please contact the sender by reply email and permanently delete the original message. _______________________________________________ Owasp-modsecurity-core-rule-set mailing list [email protected]<mailto:[email protected]> https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set -- Gil Vidals, VCP [email protected]<mailto:[email protected]> www.vmracks.com<http://www.vmracks.com> - VMware Hosting Service Provider t. 760.705.4022 IM: [email protected]<mailto:[email protected]> [http://esx-hosting.vm-racks.com/images/VMracks/VMracks-logo.png] HIPAA Compliant Hosting VMware Hosting CONFIDENTIALITY NOTICE: The information contained in this transmission may contain privileged and confidential information. It is intended only for the use of the person(s) named above. If you are not the intended recipient, please contact the sender by reply email and permanently delete the original message. ________________________________ This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. _______________________________________________ Owasp-modsecurity-core-rule-set mailing list [email protected] https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
