Hi all, I have a site which is routinely scanned both internally and by external service. I want to have mod_security running and intervening but don't want any of the associated log noise, the scans originate from known IPs and have known User agents etc so I can easily identify them.
So far I have been turning the auditEngine off with things like: SecRule REMOTE_ADDR "^123\.123\.123\.123$" "nolog,ctl:auditEngine=Off" but I have noticed this doesn't catch everything, specifically CRS rule 981227 (Apache Error: Invalid URI in Request). If I understand things correctly this is because Apache is blocking the request early and Modsec phases 1-4 don't run, it just goes straight to 5? Should I be putting my rule above in phase 5 (additionally or instead)? Ryan's blog at: http://blog.spiderlabs.com/2010/12/advanced-topic-of-the-week-handling-authorized-scanning-traffic.html and modsecurity_crs_11_avs_traffic.conf CRS file seem to suggest that phase 1 is the preferred place but that doesn't seem to be entirely effective for me. Am I missing something? Paul _______________________________________________ Owasp-modsecurity-core-rule-set mailing list [email protected] https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
