Re: [mod-security-users] How can I exclude Nagios check_http from mod_security
Brought to you by:
victorhora,
zimmerletw
From: Ryan B. <rcb...@gm...> - 2006-03-07 12:39:10
|
Use the "allow" rule instead of "pass" on your Nagios filter. Pass will just skip that rule, while allow will not apply any other mod_security filters. -- Ryan C. Barnett Web Application Security Consortium (WASC) Member CIS Apache Benchmark Project Lead SANS Instructor: Securing Apache GCIA, GCFA, GCIH, GSNA, GCUX, GSEC Author: Preventing Web Attacks with Apache On 3/6/06, ste...@gm... <ste...@gm...> wrote: > > Hallo List > > I am unable to exclude Nagios check_http User Agent from mod_security. > > I have enabled the following rule: > # Detect manual and crude automated requests. > # > SecFilterSelective HTTP_Host|HTTP_User-Agent|HTTP_Accept "^$" > "id:2,rev:1,severity:2,msg:'Empty HTTP Host, User-Agent or Accept)'" > > > And Nagios check_http is hitting that rule. So I wrote a rule before that > rule to exclude Nagios User Agent. But it does not work. This is the rule= : > # Nagios check_http > SecFilterSelective HTTP_USER_AGENT > "check_http/[0-9\.]+[[:space:]]+\(nagios\-plugins[[:space:]]+[0-9\.]+\)$" > pass,nolog > > I tried to shorten the rule to, but It still does not work: > # Nagios check_http > SecFilterSelective HTTP_USER_AGENT "^check_http.*$" pass,nolog > > I tried as well to chain the rule, but that does as well not work: > SecFilterSelective HTTP_USER_AGENT > "check_http/[0-9\.]+[[:space:]]+\(nagios\-plugins[[:space:]]+[0-9\.]+\)$" > chain > SecFilterSelective HTTP_Accept "^$" pass,nolog > > > > But I am still getting the following error: > =3D=3D0a550566=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > Request: abc.def.ghi.jkl abc.def.ghi.jkl - - [06/Mar/2006:22:49:26 +0100] > "GET / HTTP/1.0" 403 280 "-" "check_http/1.81 (nagios-plugins 1.4.2)" - > "-" > ---------------------------------------- > GET / HTTP/1.0 > User-Agent: check_http/1.81 (nagios-plugins 1.4.2) > Host: abc.def.ghi.jkl > mod_security-message: Access denied with code 403. Pattern match "^$" at > HEADER("Accept") [id "2"] [rev "1"] [msg "Empty HTTP Host, User-Agent or > Accept)"] [severity "2"] > mod_security-action: 403 > > HTTP/1.0 403 Forbidden > Content-Length: 280 > Connection: close > Content-Type: text/html; charset=3Diso-8859-1 > --0a550566-- > > > > What am I doing wrong? > > -- > Bis zu 70% Ihrer Onlinekosten sparen: GMX SmartSurfer! > Kostenlos downloaden: http://www.gmx.net/de/go/smartsurfer > > > ------------------------------------------------------- > This SF.Net email is sponsored by xPML, a groundbreaking scripting > language > that extends applications into web and mobile media. Attend the live > webcast > and join the prime developer group breaking into this new coding > territory! > http://sel.as-us.falkag.net/sel?cmd=3Dlnk&kid=3D110944&bid=3D241720&dat= =3D121642 > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > |