short summary:

I've configured
SecRuleUpdateActionById 981203 "chain,noauditlog,nolog,ctl:auditEngine=off"
after the Original Rule "981203" included in "modsecurity_crs_60_correlation.conf".

But it doesn't work.

I've noticed the "Note" in the "Reference Manual":
------
Note : If the target rule is a chained rule, you must currently specify chain in the SecRuleUpdateActionById action list as well. This will be fixed in a future version.
------
and included the "chain" Parameter.


Am 18.10.2013 09:15, schrieb DC:
Hello,

I have (too) many Log-Entries from Rule-Id "981203" in the Webserver error.log.
Now, I would change/update the Action "log,noauditlog" from Rule-ID "981203" with SecRuleUpdateActionById.
I have appended the following Rule (in modsecurity_crs_60_ED_Rules.conf)
 
after the Original-Rule (in modsecurity_crs_60_correlation.conf)
but it doesn't work.

SecRuleUpdateActionById 981203 "chain,noauditlog,nolog,ctl:auditEngine=off"

Any idea ?

Regards
 Dirk



Ubuntu: 12.04
Apache2: 2.2.22
ModSecurity-Version:  2.7.5
Core-Rule-Version: 2.2.8

modsecurity_crs_60_correlation.conf
#
# Correlated Attack Attempt
#
SecRule TX:INBOUND_ANOMALY_SCORE "@gt 0" \
    "chain,phase:5,id:'981203',t:none,log,noauditlog,pass,skipAfter:END_CORRELATION,msg:'Inbound Anomaly Score (Total Inbound Score: %{TX.INBOUND_ANOMALY_SCORE}, SQLi=%{TX.SQL_INJECTION_SCORE}, XSS=%{TX.XSS_SCORE}): %{tx.inbound_tx_msg}'"
        SecRule TX:INBOUND_ANOMALY_SCORE "@lt %{tx.inbound_anomaly_score_level}"

modsecurity_crs_60_ED_Rules.conf
#
# modsecurity_crs_60_correlation.conf"] [line "33"] [id "981203"] [msg "Inbound Anomaly Score (Total Inbound Score: 3, SQLi=0, XSS=0):
# Avoid Logging to the  error.log 
#
# Note : If the target rule is a chained rule, you must currently specify
#        chain in the SecRuleUpdateActionById action list as well.
#        This will be fixed in a future version.
SecRuleUpdateActionById 981203 "chain,noauditlog,nolog,ctl:auditEngine=off"


error.log
[Thu Oct 17 13:21:46 2013] [error] [client xxx.xxx.xxx.xxx] ModSecurity: Warning. Operator LT matched 5 at TX:inbound_anomaly_score. [file "/etc/apache2/modsecurity/rules-enabled/modsecurity_crs_60_correlation.conf"] [line "33"] [id "981203"] [msg "Inbound Anomaly Score (Total Inbound Score: 3, SQLi=0, XSS=0): Common SPAM/Email Harvester crawler"] [hostname "xxx.xxxxxxx.xx"] [uri "/menu/NBMAAJvP_W11WnN6TnpzZkJDDAA"] [unique_id "Ul-IStRZk3EAAEd9EDQAAAAE"]

modsec_debug.log
NO entries found with/for "SecRuleUpdateActionById"
# grep -i SecRuleUpdateActionById modsec_debug.log
#

# grep Debug /etc/apache2/modsecurity/rules-enabled/modsecurity_crs_11_ED_config.conf
# -- Debug log configuration -------------------------------------------------
SecDebugLog            /var/log/apache2/security/modsec_debug.log
SecDebugLogLevel       10





------------------------------------------------------------------------------
October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from 
the latest Intel processors and coprocessors. See abstracts and register >
http://pubads.g.doubleclick.net/gampad/clk?id=60135031&iu=/4140/ostg.clktrk


_______________________________________________
mod-security-users mailing list
mod-security-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/