Ivan Ristic wrote:
> On 11/21/06, Dan Rossi <spam@...> wrote:
> I don't think there's anything you can do about it. Not having an
> User-Agent is perfectly legal as far as HTTP is concerned. You could
> try to allow such clients only from specific IP addresses, for
ok, just using some default rules.
> I am not sure what problem you are describing. Can you be more
> specific please?
Ok a rule for a cookie data check had a log,pass action was causing a
500 status from the default action deny,log,status:500 etc, i was also
getting a default status of 403 when i set the default action to
"auditlog,pass" so i can see what urls should be getting through but are
tripping the audit log, so still allow the traffic until i tweak
> Both ModSecurity 1.9.x and 2.x provide equal capabilities when it
> comes to rule overriding. You have options to either remove all rules
> and start from scratch, or remove only some rules (by their specific
> ID, ID range, or keyword that appears in the message). Look up
> SecRuleRemoveById and SecRuleRemoveByMsg in the manual. In both cases
> you can add new rules as you are pleased.
Ok these two rulesets allow for remove all and some rules in a location
> You can implement that via en external script using the exec action.
> In general it's not a very good idea unless you implement throttling
> too, ie have a mechanism that will prevent uncontrolled sending of
> thousands of emails.
I could look at some kind of "buffered smtp appender", what i was asking
specicially how are we able to send the message as an argument to a perl
script ie "deny,log,status:500,send:alert.pl themessagevarhere". I only
really need this for the start , as it seems im getting alot of
errornous audits which should be letting traffic through so i need to be
aware of it so take action and tweak things.