Am 18.10.2013 09:15, schrieb DC:

I have (too) many Log-Entries from Rule-Id "981203" in the Webserver error.log.
Now, I would change/update the Action "log,noauditlog" from Rule-ID "981203" with SecRuleUpdateActionById.
I have appended the following Rule (in modsecurity_crs_60_ED_Rules.conf)
after the Original-Rule (in modsecurity_crs_60_correlation.conf)
but it doesn't work.

SecRuleUpdateActionById 981203 "chain,noauditlog,nolog,ctl:auditEngine=off"

Any idea ?


Ubuntu: 12.04
Apache2: 2.2.22
ModSecurity-Version:  2.7.5
Core-Rule-Version: 2.2.8

# Correlated Attack Attempt
    "chain,phase:5,id:'981203',t:none,log,noauditlog,pass,skipAfter:END_CORRELATION,msg:'Inbound Anomaly Score (Total Inbound Score: %{TX.INBOUND_ANOMALY_SCORE}, SQLi=%{TX.SQL_INJECTION_SCORE}, XSS=%{TX.XSS_SCORE}): %{tx.inbound_tx_msg}'"
        SecRule TX:INBOUND_ANOMALY_SCORE "@lt %{tx.inbound_anomaly_score_level}"

# modsecurity_crs_60_correlation.conf"] [line "33"] [id "981203"] [msg "Inbound Anomaly Score (Total Inbound Score: 3, SQLi=0, XSS=0):
# Avoid Logging to the  error.log 
# Note : If the target rule is a chained rule, you must currently specify
#        chain in the SecRuleUpdateActionById action list as well.
#        This will be fixed in a future version.
SecRuleUpdateActionById 981203 "chain,noauditlog,nolog,ctl:auditEngine=off"

[Thu Oct 17 13:21:46 2013] [error] [client] ModSecurity: Warning. Operator LT matched 5 at TX:inbound_anomaly_score. [file "/etc/apache2/modsecurity/rules-enabled/modsecurity_crs_60_correlation.conf"] [line "33"] [id "981203"] [msg "Inbound Anomaly Score (Total Inbound Score: 3, SQLi=0, XSS=0): Common SPAM/Email Harvester crawler"] [hostname "xxx.xxxxxxx.xx"] [uri "/menu/NBMAAJvP_W11WnN6TnpzZkJDDAA"] [unique_id "Ul-IStRZk3EAAEd9EDQAAAAE"]

NO entries found with/for "SecRuleUpdateActionById"
# grep -i SecRuleUpdateActionById modsec_debug.log

# grep Debug /etc/apache2/modsecurity/rules-enabled/modsecurity_crs_11_ED_config.conf
# -- Debug log configuration -------------------------------------------------
SecDebugLog            /var/log/apache2/security/modsec_debug.log
SecDebugLogLevel       10

October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from 
the latest Intel processors and coprocessors. See abstracts and register >

mod-security-users mailing list
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: