Re: [mod-security-users] Problem White Listing
Brought to you by:
victorhora,
zimmerletw
From: Ryan B. <Ryan.Barnett@Breach.com> - 2007-03-08 12:29:50
|
Hey Vince, I am not sure why your 1st exemption rule for 127.0.0.1 is working and the other one is not. I would need to see some audit/debug log data to make a determination. I can say that for your rule for the remote InterMapper host, you need to specify "phase:1" on your rule for it to work the way that you want - SecRule REMOTE_ADDR "^137\.82\.5\.97$" \ phase:1,allow,nolog,ctl:ruleEngine=3DOff=20 Even though you included this rule in the modsecurity_crs_15_customrules.conf file - that only guaranteed that the rule would be "read" before the other Core Rules not necessarily that it would be "executed" before the other rules. Since you didn't specify a phase, and there wasn't one set previously in the modsecurity_crs_10_config.conf file, it defaulted to phase:2 - Request Body. That means that all of the Core Rules that run in phase:1 executed prior to getting to your rule. Looking at your audit_log entry supports this concept as one of the rules from the modsecurity_crs_21_protocol_anomalies.conf file matches (where the request is missing an Accept header). I hope this helps. --=20 Ryan C. Barnett ModSecurity Community Manager Breach Security: Director of Application Security Training Web Application Security Consortium (WASC) Member Author: Preventing Web Attacks with Apache =20 -------------- ModSecurity: Cool Rules Webinar on March 7, 2007 (12 pm EST) Learn More About the Breach Webinar Series: http://www.breach.com/webinars.asp -------------- =20 > -----Original Message----- > From: mod...@li... [mailto:mod- > sec...@li...] On Behalf Of Vince Tingey > Sent: Wednesday, March 07, 2007 6:30 PM > To: mod...@li... > Subject: [mod-security-users] Problem White Listing >=20 > Hello Everyone, >=20 > I'm having a problem white listing a computer that has InterMapper > (http://dartware.com/products/intermapper/index.html) installed and > probing the web server. I have been able to successfully white list the > web server localhost ip to prevent its own service monitor from showing > up in the logs but creating the same rule for the intermapper computer > does not work. The custom rules are created in a file called > modsecurity_crs_15_customrules.conf in mod security conf folder. The > intermapper always shows up in the logs with the same ip (137.82.5.97) > so I don't know whats going on. >=20 > ######### Here is the log: ########### >=20 > --0b67720a-A-- > [07/Mar/2007:14:43:32 --0800] 64WfzYlSYSIAAAvsDMAAAAAH 137.82.5.97 56730 > 137.82.97.34 80 > --0b67720a-B-- > GET / HTTP/1.0 > Host: www.msl.ubc.ca > User-Agent: InterMapper/4.4.3b4 >=20 > --0b67720a-F-- > HTTP/1.1 302 Found > Location: http://www.michaelsmith.ubc.ca/ > Content-Length: 324 > Connection: close > Content-Type: text/html; charset=3Diso-8859-1 >=20 > --0b67720a-H-- > Message: Warning. Match of "rx OPTIONS" against "REQUEST_METHOD" > required. [id "960015"] [msg "Request Missing an Accept Header"] [ > severity "CRITICAL"] > Stopwatch: 1173307412291533 778 (- - -) > Producer: ModSecurity v2.1.0 (Apache 2.x) > Server: Apache >=20 > --0b67720a-Z-- >=20 > ######### Here is my rules: ########### >=20 > # Allows the localhost to remove itself from the logs. > # This prevents a flood of logging due to a monitoring process that > "pings" > # the webserver process every min. > SecRule REMOTE_ADDR "^127\.0\.0\.1$" allow,nolog,ctl:ruleEngine=3DOff >=20 > # Allows the intermaper computer to monitor our webserver > SecRule REMOTE_ADDR "^137\.82\.5\.97$" = allow,nolog,ctl:ruleEngine=3DOff >=20 >=20 > Any Help? >=20 > -- >=20 > Vince Tingey | Michael Smith Laboratories > IT Systems Coordinator | University of British Columbia > Tel: 604.822.8895 | #301 - 2185 East Mall > www.msl.ubc.ca | Vancouver, BC, Canada, V6T 1Z4 >=20 >=20 > ------------------------------------------------------------------------ - > Take Surveys. Earn Cash. Influence the Future of IT > Join SourceForge.net's Techsay panel and you'll get the chance to share > your > opinions on IT & business topics through brief surveys-and earn cash > http://www.techsay.com/default.php?page=3Djoin.php&p=3Dsourceforge&CID=3D= DEVDE V > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users |