Re: [mod-security-users] How can I exclude Nagios check_http from mod_security

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

Use the "allow" rule instead of "pass" on your Nagios filter.  Pass will
just skip that rule, while allow will not apply any other mod_security
filters.

--
Ryan C. Barnett
Web Application Security Consortium (WASC) Member
CIS Apache Benchmark Project Lead
SANS Instructor: Securing Apache
GCIA, GCFA, GCIH, GSNA, GCUX, GSEC
Author: Preventing Web Attacks with Apache

On 3/6/06, ste...@gm... <ste...@gm...> wrote:
>
> Hallo List
>
> I am unable to exclude Nagios check_http User Agent from mod_security.
>
> I have enabled the following rule:
>    # Detect manual and crude automated requests.
>    #
>    SecFilterSelective HTTP_Host|HTTP_User-Agent|HTTP_Accept "^$"
> "id:2,rev:1,severity:2,msg:'Empty HTTP Host, User-Agent or Accept)'"
>
>
> And Nagios check_http is hitting that rule. So I wrote a rule before that
> rule to exclude Nagios User Agent. But it does not work. This is the rule=
:
>    # Nagios check_http
>    SecFilterSelective HTTP_USER_AGENT
> "check_http/[0-9\.]+[[:space:]]+\(nagios\-plugins[[:space:]]+[0-9\.]+\)$"
> pass,nolog
>
> I tried to shorten the rule to, but It still does not work:
>    # Nagios check_http
>    SecFilterSelective HTTP_USER_AGENT "^check_http.*$" pass,nolog
>
> I tried as well to chain the rule, but that does as well not work:
>    SecFilterSelective HTTP_USER_AGENT
> "check_http/[0-9\.]+[[:space:]]+\(nagios\-plugins[[:space:]]+[0-9\.]+\)$"
> chain
>    SecFilterSelective HTTP_Accept "^$" pass,nolog
>
>
>
> But I am still getting the following error:
> =3D=3D0a550566=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
> Request: abc.def.ghi.jkl abc.def.ghi.jkl - - [06/Mar/2006:22:49:26 +0100]
> "GET / HTTP/1.0" 403 280 "-" "check_http/1.81 (nagios-plugins 1.4.2)" -
> "-"
> ----------------------------------------
> GET / HTTP/1.0
> User-Agent: check_http/1.81 (nagios-plugins 1.4.2)
> Host: abc.def.ghi.jkl
> mod_security-message: Access denied with code 403. Pattern match "^$" at
> HEADER("Accept") [id "2"] [rev "1"] [msg "Empty HTTP Host, User-Agent or
> Accept)"] [severity "2"]
> mod_security-action: 403
>
> HTTP/1.0 403 Forbidden
> Content-Length: 280
> Connection: close
> Content-Type: text/html; charset=3Diso-8859-1
> --0a550566--
>
>
>
> What am I doing wrong?
>
> --
> Bis zu 70% Ihrer Onlinekosten sparen: GMX SmartSurfer!
> Kostenlos downloaden: http://www.gmx.net/de/go/smartsurfer
>
>
> -------------------------------------------------------
> This SF.Net email is sponsored by xPML, a groundbreaking scripting
> language
> that extends applications into web and mobile media. Attend the live
> webcast
> and join the prime developer group breaking into this new coding
> territory!
> http://sel.as-us.falkag.net/sel?cmd=3Dlnk&kid=3D110944&bid=3D241720&dat=
=3D121642
> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
>