[mod-security-users] About comment spam and rbl checks
Brought to you by:
victorhora,
zimmerletw
From: Ehsan M. <ehs...@gm...> - 2014-08-22 13:35:24
|
Hi I have enabled modsecurity_crs_42_comment_spam. According to the following rules, I think if the rbl check response for a specific IP is positive, the IP must not be checked for next 24 hours. But in my audit log I can see that the rule id 981138 is being fired simultaneously for the same IP and this means the rbl check for the same IP is being done in less than 24 hours (in my case every 3 to 5 minutes). What is wrong? P.S-- SecRule IP:PREVIOUS_RBL_CHECK "@eq 1" "phase:1,id:'981137',t:none,pass,nolog,skipAfter:END_RBL_LOOKUP" SecRule REMOTE_ADDR "@rbl sbl-xbl.spamhaus.org" "phase:1,id:'981138',t:none,pass,nolog,auditlog,msg:'RBL Match for SPAM Source',tag:'AUTOMATION/MALICIOUS',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.automation_score=+%{tx.warning_anomaly_score},setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{ rule.id }-AUTOMATION/MALICIOUS-%{matched_var_name}=%{matched_var},setvar:ip.spammer=1,expirevar:ip.spammer=86400,setvar:ip.previous_rbl_check=1,expirevar:ip.previous_rbl_check=86400,skipAfter:END_RBL_CHECK" SecAction "phase:1,id:'981139',t:none,nolog,pass,setvar:ip.previous_rbl_check=1,expirevar:ip.previous_rbl_check=86400" SecMarker END_RBL_LOOKUP SecRule IP:SPAMMER "@eq 1" "phase:1,id:'981140',t:none,pass,nolog,auditlog,msg:'Request from Known SPAM Source (Previous RBL Match)',tag:'AUTOMATION/MALICIOUS',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.automation_score=+%{tx.warning_anomaly_score},setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{ rule.id}-AUTOMATION/MALICIOUS-%{matched_var_name}=%{matched_var}" SecMarker END_RBL_CHECK -- regards Ehsan.Mahdavi |