Re: [mod-security-users] "nolog" statement not working
Brought to you by:
victorhora,
zimmerletw
From: Ryan B. <RBa...@tr...> - 2011-04-14 17:40:58
|
The ModSecurity logging actions only control the logging to the apache error log and modsec audit log. On Apr 14, 2011, at 1:36 PM, "Michael W. Lucas" <mw...@bl...> wrote: > Hi, > > Searched the archives, haven't figured out an answer, but I'm pretty > new to mod_security. Any advice appreciated. > > I'm using mod_security 2.5.13 with Apache 2.2 on FreeBSD 9. I just > After my upgrade to CRS 2.1.2, my "nolog" statements in my referral > spam blocking rules aren't working. > > I've mad the following changes to modsecurity_crs_10_config.conf > > SecRuleEngine On > SecDefaultAction "phase:2,deny,nolog,auditlog" > SecDebugLogLevel 2 > SecDebugLog /var/log/modsecurity.log > > I defined "SecDataDir /var/run/modsecurity" in a separate config file, > so that I could activate modsecurity_crs_42_comment_spam.conf. > > I also have a referer.conf that contains rules like: > > SecRule REQUEST_HEADERS:REFERER "(?i:(porn))" deny,nolog,auditlog,status:500 > > The block is working: > > # wget http://www.blackhelicopters.org/ --referer="porn" > --2011-04-14 12:46:25-- http://www.blackhelicopters.org/ > Resolving www.blackhelicopters.org (www.blackhelicopters.org)... 198.22.63.8, 2001:470:1f10:b9c::2 > Connecting to www.blackhelicopters.org (www.blackhelicopters.org)|198.22.63.8|:80... connected. > HTTP request sent, awaiting response... 500 Internal Server Error > 2011-04-14 12:46:26 ERROR 500: Internal Server Error. > > But the GET requests are showing up in my access log: > > 198.22.63.8 - - [14/Apr/2011:12:46:26 -0400] "GET / HTTP/1.0" 500 550 "porn" "Wget/1.12 (freebsd9.0)" > > Shouldn't the nolog statement prevent this? Any suggestions how to > achieve that? > > Thanks for any hints, > ==ml > > -- > Michael W. Lucas > http://www.MichaelWLucas.com/, http://blather.MichaelWLucas.com/ > Latest book: Network Flow Analysis http://www.networkflowanalysis.com/ > mwlucas@BlackHelicopters.org, Twitter @mwlauthor > > ------------------------------------------------------------------------------ > Benefiting from Server Virtualization: Beyond Initial Workload > Consolidation -- Increasing the use of server virtualization is a top > priority.Virtualization can reduce costs, simplify management, and improve > application availability and disaster protection. Learn more about boosting > the value of server virtualization. http://p.sf.net/sfu/vmware-sfdev2dev > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > ModSecurity Services from Trustwave's SpiderLabs: > https://www.trustwave.com/spiderLabs.php > |