Hi Paul,
in which phase are you putting your ctl:auditEngine=off rule?
The ModSecurity default phase is 2. You might want to turn off the
audit-logging as soon as possible, so putting your rule into phase 1
and moving it to the very beginning should solve your problem.
Best regards,
Chris
Am 18.08.2011 um 09:21 schrieb Paul McGarry:
> Hi all,
>
> I have a site which is routinely scanned both internally and by
> external service.
> I want to have mod_security running and intervening but don't want any
> of the associated log noise, the scans originate from known IPs and
> have known User agents etc so I can easily identify them.
>
> So far I have been turning the auditEngine off with things like:
>
> SecRule REMOTE_ADDR "^123\.123\.123\.123$" "nolog,ctl:auditEngine=Off"
>
> but I have noticed this doesn't catch everything, specifically CRS
> rule 981227 (Apache Error: Invalid URI in Request).
>
> If I understand things correctly this is because Apache is blocking
> the request early and Modsec phases 1-4 don't run, it just goes
> straight to 5?
>
> Should I be putting my rule above in phase 5 (additionally or instead)?
>
> Ryan's blog at:
>
> http://blog.spiderlabs.com/2010/12/advanced-topic-of-the-week-handling-authorized-scanning-traffic.html
>
> and modsecurity_crs_11_avs_traffic.conf CRS file seem to suggest that
> phase 1 is the preferred place but that doesn't seem to be entirely
> effective for me. Am I missing something?
>
> Paul
> _______________________________________________
> Owasp-modsecurity-core-rule-set mailing list
> [email protected]
> https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
[email protected]
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
