Re: [mod-security-users] proper way to modify or whitelist against UPDF rule
Brought to you by:
victorhora,
zimmerletw
From: Cristóbal P. <cmp...@me...> - 2009-01-25 23:03:31
|
Ofer Shezaf wrote: > Hi Christobal, > > I have simulated your situation and the exception works for me. It is > important to remember to put the SecRuleRemoveById after the original > declaration, for example in file "modsecurity_crs_60_custom_rules.conf". > > I could try to help with a more fine grained exception if you provided an > audit record of the false positive. It looks like I'm doing something wrong as far as specifying where and how audit information is getting logged: [root@187869-web1 httpd]# egrep -i "^[^#].*audit" \ modsecurity.d/modsecurity_crs_10_config.conf SecAuditEngine RelevantOnly SecAuditLogRelevantStatus "^(?:5|4(?!04))" SecAuditLogType Concurrent SecAuditLogStorageDir logs/modsec_audit SecAuditLogParts "ABIFHKZ" [root@187869-web1 httpd]# ls -alh|grep logs lrwxrwxrwx 1 root root 19 Nov 12 04:55 logs -> ../../var/log/httpd [root@187869-web1 httpd]# ls -dlh logs/ drwx------ 4 root root 12K Jan 18 02:29 logs/ [root@187869-web1 httpd]# ls -dlh logs/modsec_audit/ drwxrwxr-x 2 root apache 4.0K Jan 15 11:56 logs/modsec_audit/ Apache logging works; I have lots of logs, including modsec entries in the error logs for multiple vhosts. Perhaps I did something wrong at compile time? Spec and conf.patch file attached in case that's helpful. I recently joined #modsecurity on freenode as tarheelcoxn, btw. Perhaps that channel is dead? Cheers, -- Cristóbal M. Palmer ibiblio.org systems administrator cdla.unc.edu research assistant |