Thread: [mod-security-users] Keep modsecurity from logging Apache Errors
Brought to you by:
victorhora,
zimmerletw
From: Winfried N. <ne...@cl...> - 2013-10-23 15:19:49
Attachments:
PGPexch.htm
PGPexch.htm.sig
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, I am running mod_security on an Apache webserver. I've configured a IP whiteliste for some internal users, that I want to be unfiltered- which is working as expected. Problem is, when an internal user causes a HTTP 401 (Authorization Required) or HTTP 400 (Bad Request) these requests still show up in the Audit log as "Apache-Error": - --c9db3f2a-H-- Apache-Error: [file "mod_auth_basic.c"] [line 257] [level 3] user xyz: authentication failure for "/zyx/foobar": Password Mismatch Stopwatch: 1382537523511498 1212 (- - -) Stopwatch2: 1382537523511498 1212; combined=308, p1=149, p2=0, p3=1, p4=69, p5=56, sr=57, sw=33, l=0, gc=0 Response-Body-Transformed: Dechunked Producer: ModSecurity for Apache/2.7.4 (http://www.modsecurity.org/) Server: Apache Engine-Mode: "ENABLED" I've set up the whitelist rule with "nolog" action, but still these are getting logged. Is there a way to avoid this? Thanks Winfried -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (MingW32) Comment: Using gpg4o v3.1.107.3564 - http://www.gpg4o.de/ Charset: utf-8 iQGcBAEBAgAGBQJSZ+U7AAoJEHA9PkTtvSL4+T8L/0wj4xJ0/iMgJq6u1E+Nrj2C //EZXkvzDhgbaK3i/wUbvTfk2C7IRK4dmqibw0jPpc94vu7fkY1kYm3GUDPP39pQ cpC2qSiAZFv9qz2Hlf5dFCfLpsJc0QEgVdJN5gUdZTwTuovxJ7KUzioZ+fNuYeQS I/OnfQn79b4ePZqY8vc3DQLX5dIl2lb1kplE/tzSDdGuFGnpiYVBUhnYQCjop3k6 HBAeKxSIqFIgyGhpXUJyrvBsT+Qsm7GG9Nrn/o5Q4mNPKvtVqPvBVwTCdM1ehN2h SyTUTG1CNZNi7qKte/mvaXpRkstKHmQOIZ4jxI1ER2so/Y2XrCOdLYy5cNXs7xrf 1kZAGTLkQf9pAquW6xfa+F6CAIFxuboz5Lv5tpMPHo+3ogTTpp7UCf+y3vnl6xkc zYSTzGq2HcN4HYlHhfb9rTgACAohB9CFhOVEpAl/CuXlPkBSbNYxK4kC4KZR6P0w KxZHflFz3FJCd7lgoQ2ZiifJ3f5E3WXURCR4CFbDpA== =2fY8 -----END PGP SIGNATURE----- |
From: Darvin R. A. <da...@re...> - 2013-10-23 16:02:46
|
I am running mod_security on Apache webserver and need to know how I can create a whitelist by IP. Greetings. Darvin., |
From: Josh Amishav-Z. <ja...@ow...> - 2013-10-23 17:38:14
|
On Wed, Oct 23, 2013 at 6:40 PM, Darvin Rivera Aguilar <da...@re...>wrote: > > I am running mod_security on Apache webserver and need to know how I can > create a whitelist by IP. > > Hi Darvin, There are a couple of operators you could use, but a simple example to whitelist the IP 1.2.3.4 is: SecRule REMOTE_ADDR "@eq 1.2.3.4" "phase:1, \ nolog,id:613,allow,ctl:ruleEngine=Off,ctl:auditEngine=Off" -- - Josh > Greetings. > Darvin., > > > ------------------------------------------------------------------------------ > October Webinars: Code for Performance > Free Intel webinars can help you accelerate application performance. > Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most > from > the latest Intel processors and coprocessors. See abstracts and register > > http://pubads.g.doubleclick.net/gampad/clk?id=60135991&iu=/4140/ostg.clktrk > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ > |
From: Macks, A. <am...@ha...> - 2013-10-23 17:37:44
|
I did that with a rule like this: SecRule REMOTE_ADDR "^192.168" "phase:1,nolog,id:1,allow,ctl:ruleEngine=Off,ctl:auditEngine=Off" set the proper IP address in the regex and it should ignore it A On Oct 23, 2013, at 11:40 AM, Darvin Rivera Aguilar <da...@re...<mailto:da...@re...>> wrote: I am running mod_security on Apache webserver and need to know how I can create a whitelist by IP. Greetings. Darvin., ------------------------------------------------------------------------------ October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register > http://pubads.g.doubleclick.net/gampad/clk?id=60135991&iu=/4140/ostg.clktrk _______________________________________________ mod-security-users mailing list mod...@li... https://lists.sourceforge.net/lists/listinfo/mod-security-users Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: http://www.modsecurity.org/projects/commercial/rules/ http://www.modsecurity.org/projects/commercial/support/ -- Aaron Macks Systems Architect Harvard Business Publishing 300 North Beacon St. | Watertown, MA 02472 (617) 783-7461 | Fax: (617) 783-7467 www.harvardbusiness.org<http://www.harvardbusiness.org> | Cell:(978) 317-3614 |
From: Jason S. <js...@ac...> - 2013-10-23 17:59:53
|
Or you can use an external file: SecRule REMOTE_ADDR "@pmFromFile modsecurity_nolog.data" "pass,nolog,id:90020,ctl:auditEngine=Off" (I'm only turning off logging, not the ruleEngine) the modsecurity_nolog.data file exists in the same directory as the file containing this directive and contains a new line with each IP. e.g. 192.168.2.4 192.168.2.5 8.8.8.8 My file contains over 160 lines. J On Wed, Oct 23, 2013 at 12:21 PM, Macks, Aaron <am...@ha...>wrote: > I did that with a rule like this: > > SecRule REMOTE_ADDR "^192.168" > "phase:1,nolog,id:1,allow,ctl:ruleEngine=Off,ctl:auditEngine=Off" > > set the proper IP address in the regex and it should ignore it > > > A > > On Oct 23, 2013, at 11:40 AM, Darvin Rivera Aguilar <da...@re...> > wrote: > > > I am running mod_security on Apache webserver and need to know how I can > create a whitelist by IP. > > Greetings. > Darvin., > > > ------------------------------------------------------------------------------ > October Webinars: Code for Performance > Free Intel webinars can help you accelerate application performance. > Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most > from > the latest Intel processors and coprocessors. See abstracts and register > > http://pubads.g.doubleclick.net/gampad/clk?id=60135991&iu=/4140/ostg.clktrk > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ > > > -- > Aaron Macks > Systems Architect > > Harvard Business Publishing > 300 North Beacon St. | Watertown, MA 02472 > (617) 783-7461 | Fax: (617) 783-7467 > www.harvardbusiness.org | Cell:(978) 317-3614 > > > > ------------------------------------------------------------------------------ > October Webinars: Code for Performance > Free Intel webinars can help you accelerate application performance. > Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most > from > the latest Intel processors and coprocessors. See abstracts and register > > http://pubads.g.doubleclick.net/gampad/clk?id=60135991&iu=/4140/ostg.clktrk > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ > > |
From: Ryan B. <RBa...@tr...> - 2013-10-23 18:26:02
|
I recommend the use of either the @ipMatch or @ipMatchFromFile operators when inspecting REMOTE_ADDR variable data. Ryan Barnett Lead Security Researcher, SpiderLabs Trustwave | SMART SECURITY ON DEMAND www.trustwave.com<http://www.trustwave.com/> On Oct 23, 2013, at 2:04 PM, "Jason Sajdak" <js...@ac...<mailto:js...@ac...>> wrote: Or you can use an external file: SecRule REMOTE_ADDR "@pmFromFile modsecurity_nolog.data" "pass,nolog,id:90020,ctl:auditEngine=Off" (I'm only turning off logging, not the ruleEngine) the modsecurity_nolog.data file exists in the same directory as the file containing this directive and contains a new line with each IP. e.g. 192.168.2.4 192.168.2.5 8.8.8.8 My file contains over 160 lines. J On Wed, Oct 23, 2013 at 12:21 PM, Macks, Aaron <am...@ha...<mailto:am...@ha...>> wrote: I did that with a rule like this: SecRule REMOTE_ADDR "^192.168" "phase:1,nolog,id:1,allow,ctl:ruleEngine=Off,ctl:auditEngine=Off" set the proper IP address in the regex and it should ignore it A On Oct 23, 2013, at 11:40 AM, Darvin Rivera Aguilar <da...@re...<mailto:da...@re...>> wrote: I am running mod_security on Apache webserver and need to know how I can create a whitelist by IP. Greetings. Darvin., ------------------------------------------------------------------------------ October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register > http://pubads.g.doubleclick.net/gampad/clk?id=60135991&iu=/4140/ostg.clktrk _______________________________________________ mod-security-users mailing list mod...@li...<mailto:mod...@li...> https://lists.sourceforge.net/lists/listinfo/mod-security-users Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: http://www.modsecurity.org/projects/commercial/rules/ http://www.modsecurity.org/projects/commercial/support/ -- Aaron Macks Systems Architect Harvard Business Publishing 300 North Beacon St. | Watertown, MA 02472 (617) 783-7461<tel:%28617%29%20783-7461> | Fax: (617) 783-7467<tel:%28617%29%20783-7467> www.harvardbusiness.org<http://www.harvardbusiness.org> | Cell:(978) 317-3614<tel:%28978%29%20317-3614> ------------------------------------------------------------------------------ October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register > http://pubads.g.doubleclick.net/gampad/clk?id=60135991&iu=/4140/ostg.clktrk _______________________________________________ mod-security-users mailing list mod...@li...<mailto:mod...@li...> https://lists.sourceforge.net/lists/listinfo/mod-security-users Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: http://www.modsecurity.org/projects/commercial/rules/ http://www.modsecurity.org/projects/commercial/support/ ------------------------------------------------------------------------------ October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register > http://pubads.g.doubleclick.net/gampad/clk?id=60135991&iu=/4140/ostg.clktrk _______________________________________________ mod-security-users mailing list mod...@li...<mailto:mod...@li...> https://lists.sourceforge.net/lists/listinfo/mod-security-users Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: http://www.modsecurity.org/projects/commercial/rules/ http://www.modsecurity.org/projects/commercial/support/ ________________________________ This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. |
From: Josh Amishav-Z. <ja...@ow...> - 2013-10-23 18:23:25
|
On Wed, Oct 23, 2013 at 6:03 PM, Winfried Neessen <ne...@cl...>wrote: > -----BEGIN PGP SIGNED MESSAGE----- > > > I've set up the whitelist rule with "nolog" action, but still these are > getting logged. Is there a way to > avoid this? > > Hi Winfried, What is your SecAuditLogRelevantStatus directive set to? -- - Josh > > Thanks > Winfried > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.13 (MingW32) > Comment: Using gpg4o v3.1.107.3564 - http://www.gpg4o.de/ > Charset: utf-8 > > iQGcBAEBAgAGBQJSZ+U7AAoJEHA9PkTtvSL4+T8L/0wj4xJ0/iMgJq6u1E+Nrj2C > //EZXkvzDhgbaK3i/wUbvTfk2C7IRK4dmqibw0jPpc94vu7fkY1kYm3GUDPP39pQ > cpC2qSiAZFv9qz2Hlf5dFCfLpsJc0QEgVdJN5gUdZTwTuovxJ7KUzioZ+fNuYeQS > I/OnfQn79b4ePZqY8vc3DQLX5dIl2lb1kplE/tzSDdGuFGnpiYVBUhnYQCjop3k6 > HBAeKxSIqFIgyGhpXUJyrvBsT+Qsm7GG9Nrn/o5Q4mNPKvtVqPvBVwTCdM1ehN2h > SyTUTG1CNZNi7qKte/mvaXpRkstKHmQOIZ4jxI1ER2so/Y2XrCOdLYy5cNXs7xrf > 1kZAGTLkQf9pAquW6xfa+F6CAIFxuboz5Lv5tpMPHo+3ogTTpp7UCf+y3vnl6xkc > zYSTzGq2HcN4HYlHhfb9rTgACAohB9CFhOVEpAl/CuXlPkBSbNYxK4kC4KZR6P0w > KxZHflFz3FJCd7lgoQ2ZiifJ3f5E3WXURCR4CFbDpA== > =2fY8 > -----END PGP SIGNATURE----- > > > ------------------------------------------------------------------------------ > October Webinars: Code for Performance > Free Intel webinars can help you accelerate application performance. > Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most > from > the latest Intel processors and coprocessors. See abstracts and register > > http://pubads.g.doubleclick.net/gampad/clk?id=60135991&iu=/4140/ostg.clktrk > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ > > |
From: Winfried N. <ne...@cl...> - 2013-10-24 10:06:17
Attachments:
PGPexch.htm
PGPexch.htm.sig
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Josh, this is my setting: SecAuditLogRelevantStatus "^(?:5|4(?!04))" This is ok and intended, but I was assuming, when I add a whitelist rule, with "allow" and "nolog" that it would not log anything else. Any ideas? Thanks Winni From: Josh Amishav-Zlatin [mailto:ja...@ow...] Sent: Wednesday, October 23, 2013 8:23 PM To: mod...@li... Subject: Re: [mod-security-users] Keep modsecurity from logging Apache Errors On Wed, Oct 23, 2013 at 6:03 PM, Winfried Neessen <ne...@cl...> wrote: - -----BEGIN PGP SIGNED MESSAGE----- I've set up the whitelist rule with "nolog" action, but still these are getting logged. Is there a way to avoid this? Hi Winfried, What is your SecAuditLogRelevantStatus directive set to? - -- - Josh Thanks Winfried - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (MingW32) Comment: Using gpg4o v3.1.107.3564 - http://www.gpg4o.de/ Charset: utf-8 iQGcBAEBAgAGBQJSZ+U7AAoJEHA9PkTtvSL4+T8L/0wj4xJ0/iMgJq6u1E+Nrj2C //EZXkvzDhgbaK3i/wUbvTfk2C7IRK4dmqibw0jPpc94vu7fkY1kYm3GUDPP39pQ cpC2qSiAZFv9qz2Hlf5dFCfLpsJc0QEgVdJN5gUdZTwTuovxJ7KUzioZ+fNuYeQS I/OnfQn79b4ePZqY8vc3DQLX5dIl2lb1kplE/tzSDdGuFGnpiYVBUhnYQCjop3k6 HBAeKxSIqFIgyGhpXUJyrvBsT+Qsm7GG9Nrn/o5Q4mNPKvtVqPvBVwTCdM1ehN2h SyTUTG1CNZNi7qKte/mvaXpRkstKHmQOIZ4jxI1ER2so/Y2XrCOdLYy5cNXs7xrf 1kZAGTLkQf9pAquW6xfa+F6CAIFxuboz5Lv5tpMPHo+3ogTTpp7UCf+y3vnl6xkc zYSTzGq2HcN4HYlHhfb9rTgACAohB9CFhOVEpAl/CuXlPkBSbNYxK4kC4KZR6P0w KxZHflFz3FJCd7lgoQ2ZiifJ3f5E3WXURCR4CFbDpA== =2fY8 - -----END PGP SIGNATURE----- - ------------------------------------------------------------------------------ October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register > http://pubads.g.doubleclick.net/gampad/clk?id=60135991&iu=/4140/ostg.clktrk _______________________________________________ mod-security-users mailing list mod...@li... https://lists.sourceforge.net/lists/listinfo/mod-security-users Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: http://www.modsecurity.org/projects/commercial/rules/ http://www.modsecurity.org/projects/commercial/support/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (MingW32) Comment: Using gpg4o v3.1.107.3564 - http://www.gpg4o.de/ Charset: utf-8 iQGcBAEBAgAGBQJSaPEPAAoJEHA9PkTtvSL4WEML/ROCgHkjfUSLiViBPTSvieLW 9zs9PuV9ZsNynY8XtqvS05AnqjPdb/0oxU67XVETl007Vfb02aDX3Fg6OWhnOVc0 A+ZkD67DtOgPjI3ZotfVFoVz0lffBDQ4lI8cIFXRxcZ2ag3wdi2gXsnqnJ6EWv9X F9lNUVsA9GHGUAdenoiIRpYlMxdAmjOHqgSrSUOTCNBWKSgOkiVOUv1CoPn534Oa YB4R1MlbZjf26ywKnOyvs+P8Z905uANOgMP+1BNoxsqb4SMvYowkhoYK9qpphY8W HTQXS0VNkZYr/+TI+FQETUxvhBGv39QF1t7yNx0wcXUvaXa4G1U/WxEy7+KlqgNP kY7dD5Dh04FR2DW650Rf27J1H2WTxK1DRKIbhBQk+l45xqmSAnD+ZmQHYOHBHQAv 3QKZA0KwJ3IjMu6xBjeb4pYmbeVslkWJcfpURR34bSs4vO0lBRS4mxYOwG/+agou FYWEocaA+oeEW5lPHjbwFjh8AIpZQBns0p4RbrvwOA== =QFhK -----END PGP SIGNATURE----- |
From: Josh Amishav-Z. <ja...@ow...> - 2013-10-24 14:19:45
|
On Thu, Oct 24, 2013 at 1:06 PM, Winfried Neessen <ne...@cl...>wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hi Josh, > > this is my setting: SecAuditLogRelevantStatus "^(?:5|4(?!04))" > > Hi Winfried, Can you verify the HTTP response code that is triggering the event? Assuming its a 401, can you try updating your SecAuditLogRelevantStatus directive to: SecAuditLogRelevantStatus "^(?:5|4(?:0[14]))" -- - Josh > This is ok and intended, but I was assuming, when I add a whitelist rule, > with "allow" and "nolog" > that it would not log anything else. > > Any ideas? > > Thanks > Winni > > From: Josh Amishav-Zlatin [mailto:ja...@ow...] > Sent: Wednesday, October 23, 2013 8:23 PM > To: mod...@li... > Subject: Re: [mod-security-users] Keep modsecurity from logging Apache > Errors > > On Wed, Oct 23, 2013 at 6:03 PM, Winfried Neessen < > ne...@cl...> > wrote: > - -----BEGIN PGP SIGNED MESSAGE----- > > > I've set up the whitelist rule with "nolog" action, but still these are > getting logged. Is there a way to > avoid this? > > Hi Winfried, > > What is your SecAuditLogRelevantStatus directive set to? > > - -- > - Josh > > > Thanks > Winfried > > - -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.13 (MingW32) > Comment: Using gpg4o v3.1.107.3564 - http://www.gpg4o.de/ > Charset: utf-8 > > iQGcBAEBAgAGBQJSZ+U7AAoJEHA9PkTtvSL4+T8L/0wj4xJ0/iMgJq6u1E+Nrj2C > //EZXkvzDhgbaK3i/wUbvTfk2C7IRK4dmqibw0jPpc94vu7fkY1kYm3GUDPP39pQ > cpC2qSiAZFv9qz2Hlf5dFCfLpsJc0QEgVdJN5gUdZTwTuovxJ7KUzioZ+fNuYeQS > I/OnfQn79b4ePZqY8vc3DQLX5dIl2lb1kplE/tzSDdGuFGnpiYVBUhnYQCjop3k6 > HBAeKxSIqFIgyGhpXUJyrvBsT+Qsm7GG9Nrn/o5Q4mNPKvtVqPvBVwTCdM1ehN2h > SyTUTG1CNZNi7qKte/mvaXpRkstKHmQOIZ4jxI1ER2so/Y2XrCOdLYy5cNXs7xrf > 1kZAGTLkQf9pAquW6xfa+F6CAIFxuboz5Lv5tpMPHo+3ogTTpp7UCf+y3vnl6xkc > zYSTzGq2HcN4HYlHhfb9rTgACAohB9CFhOVEpAl/CuXlPkBSbNYxK4kC4KZR6P0w > KxZHflFz3FJCd7lgoQ2ZiifJ3f5E3WXURCR4CFbDpA== > =2fY8 > - -----END PGP SIGNATURE----- > > - > ------------------------------------------------------------------------------ > October Webinars: Code for Performance > Free Intel webinars can help you accelerate application performance. > Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most > from > the latest Intel processors and coprocessors. See abstracts and register > > http://pubads.g.doubleclick.net/gampad/clk?id=60135991&iu=/4140/ostg.clktrk > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ > > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.13 (MingW32) > Comment: Using gpg4o v3.1.107.3564 - http://www.gpg4o.de/ > Charset: utf-8 > > iQGcBAEBAgAGBQJSaPEPAAoJEHA9PkTtvSL4WEML/ROCgHkjfUSLiViBPTSvieLW > 9zs9PuV9ZsNynY8XtqvS05AnqjPdb/0oxU67XVETl007Vfb02aDX3Fg6OWhnOVc0 > A+ZkD67DtOgPjI3ZotfVFoVz0lffBDQ4lI8cIFXRxcZ2ag3wdi2gXsnqnJ6EWv9X > F9lNUVsA9GHGUAdenoiIRpYlMxdAmjOHqgSrSUOTCNBWKSgOkiVOUv1CoPn534Oa > YB4R1MlbZjf26ywKnOyvs+P8Z905uANOgMP+1BNoxsqb4SMvYowkhoYK9qpphY8W > HTQXS0VNkZYr/+TI+FQETUxvhBGv39QF1t7yNx0wcXUvaXa4G1U/WxEy7+KlqgNP > kY7dD5Dh04FR2DW650Rf27J1H2WTxK1DRKIbhBQk+l45xqmSAnD+ZmQHYOHBHQAv > 3QKZA0KwJ3IjMu6xBjeb4pYmbeVslkWJcfpURR34bSs4vO0lBRS4mxYOwG/+agou > FYWEocaA+oeEW5lPHjbwFjh8AIpZQBns0p4RbrvwOA== > =QFhK > -----END PGP SIGNATURE----- > > > ------------------------------------------------------------------------------ > October Webinars: Code for Performance > Free Intel webinars can help you accelerate application performance. > Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most > from > the latest Intel processors and coprocessors. See abstracts and register > > http://pubads.g.doubleclick.net/gampad/clk?id=60135991&iu=/4140/ostg.clktrk > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ > > |
From: Winfried N. <ne...@cl...> - 2013-10-25 07:04:42
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Josh, > Can you verify the HTTP response code that is triggering the event? > Assuming its a 401, > can you try updating your SecAuditLogRelevantStatus directive to: > > SecAuditLogRelevantStatus "^(?:5|4(?:0[14]))" Yes I can verify that it's a 401. I caused it by entering wrong credentials into a Basic Auth form. Wouldn't changing the SecAuditLogRelevantStatus to your example, prevent ModSec from logging any 401 event to the audit log, even if I send it to the user using "deny,status:401,log"? If not, that's exactly what I'm looking for. Thanks Winfried -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (MingW32) Comment: Using gpg4o v3.1.107.3564 - http://www.gpg4o.de/ Charset: utf-8 iQGcBAEBAgAGBQJSahgBAAoJEHA9PkTtvSL4nTYMAIayN/gH30ZsZr8rLL2FmfmD IeO31Ev0X5Ibuf0HLvof+5zATDTkMzRj98HSv/sIeJiw/bGT9n224UkEcVR6MZ5N jvU53TCYe6GGzslAHBAzytL0PcI+DRghNAQ0/mAJyiynjO7km50zJ47isk0N2edE 6SfHtChpTGB41W1tjfs5J5T3A2NcFaDlwdLOOfUOORx6Y59in80SZv8r8d1q8RyW 2oHlv4jiTUxg3CektFUDt6KHXCvE4kQG/i35jxPHQ4umc3kABiClHadxN/p9LEQM VufTE+Rgzyd4CzIuvbCA7UFjCRT9eKoigy+HffEk7yjMGqiAePLhFKB7NvlqJ7R7 rufQ6E+1Enz6cI6OzSwFNv1p+NGSVKl3q74DkrEapeJnXl0ZCauNx4zX4XEU7zIH dmot4jZ6fgsG+NGRMue288P164944KYum+kr8ZFOtaJBQx6cpgJX+9F24Q13Q0Nl pi8kVw83LFlFF6ceQOkweYCBi2tDQavnjB5oJqMSYw== =/1Jp -----END PGP SIGNATURE----- |
From: Josh Amishav-Z. <ja...@ow...> - 2013-10-27 09:48:53
|
On Fri, Oct 25, 2013 at 10:04 AM, Winfried Neessen <ne...@cl... > wrote: > > Wouldn't changing the SecAuditLogRelevantStatus to your example, prevent > ModSec from > logging any 401 event to the audit log, even if I send it to the user using > "deny,status:401,log"? > > If not, that's exactly what I'm looking for. > > Hi Winfried, I just tested this setup and ModSec logged the event that matched the following rule: SecRule ARGS "test" "id:2,phase:2,deny,status:401,log" -- - Josh > > Thanks > Winfried > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.13 (MingW32) > Comment: Using gpg4o v3.1.107.3564 - http://www.gpg4o.de/ > Charset: utf-8 > > iQGcBAEBAgAGBQJSahgBAAoJEHA9PkTtvSL4nTYMAIayN/gH30ZsZr8rLL2FmfmD > IeO31Ev0X5Ibuf0HLvof+5zATDTkMzRj98HSv/sIeJiw/bGT9n224UkEcVR6MZ5N > jvU53TCYe6GGzslAHBAzytL0PcI+DRghNAQ0/mAJyiynjO7km50zJ47isk0N2edE > 6SfHtChpTGB41W1tjfs5J5T3A2NcFaDlwdLOOfUOORx6Y59in80SZv8r8d1q8RyW > 2oHlv4jiTUxg3CektFUDt6KHXCvE4kQG/i35jxPHQ4umc3kABiClHadxN/p9LEQM > VufTE+Rgzyd4CzIuvbCA7UFjCRT9eKoigy+HffEk7yjMGqiAePLhFKB7NvlqJ7R7 > rufQ6E+1Enz6cI6OzSwFNv1p+NGSVKl3q74DkrEapeJnXl0ZCauNx4zX4XEU7zIH > dmot4jZ6fgsG+NGRMue288P164944KYum+kr8ZFOtaJBQx6cpgJX+9F24Q13Q0Nl > pi8kVw83LFlFF6ceQOkweYCBi2tDQavnjB5oJqMSYw== > =/1Jp > -----END PGP SIGNATURE----- > > > ------------------------------------------------------------------------------ > October Webinars: Code for Performance > Free Intel webinars can help you accelerate application performance. > Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most > from > the latest Intel processors and coprocessors. See abstracts and register > > http://pubads.g.doubleclick.net/gampad/clk?id=60135991&iu=/4140/ostg.clktrk > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ > |
From: Winfried N. <ne...@cl...> - 2013-10-28 08:42:11
|
Hi Josh, > I just tested this setup and ModSec logged the event that matched the > following rule: > SecRule ARGS "test" "id:2,phase:2,deny,status:401,log" > Thanks, that sounds good to me. I'll give it a try. Winni |