Re: [mod-security-users] Collections_remove_stale: Failed deleting collection
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] Collections_remove_stale: Failed deleting collection
|
From: Rainer J. <rai...@ki...> - 2015-08-25 12:38:59
|
Am 25.08.2015 um 12:02 schrieb Sophie Loewenthal: > Hi Rainer , > > >> Since 509 is very specific, why not taking the IP from the normal > access log of the web server? > Mod_Sec is running in Detection Only mode. Would this be logged in the > access log? Any web server allows to activate an access log. Typically it is already active by default. The contents of the log are adjustable but again the IP and the HTTP status code should be there by default. The access log contains one line for each http request that was handled by the web server. So you'd have to find the log or identify how to activate it for your web server and identify the configured or default format of its content. It will then be easy to filter the log for all requests that were answered with a 509 and extract the IP addresses. All of this access log stuff is independent of your mod_security config. Regards, Rainer > On 8/25/2015 11:27 AM, Rainer Jung wrote: >> Am 25.08.2015 um 10:47 schrieb Sophie Loewenthal: >>> Hi Barry, >>> >>> Thank you for your well penned reply. >>> >>> For an quick fix, I have put the directory into a ram disc, and >>> shall run some pruning methods from cron. >>> >>> Your other suggestion require I spend more time on how I should >>> differentiate between static and dynamic content, although I doubt any >>> static is requested because this is a soap gateway. Looking anyway :) >>> >>> How else could I reduce modsec traffic? If I could wrap this code >>> up into a LocationMatch and place inside a vhost entry, maybe this could >>> help. >>> >>> Management would like a list of potential offenders by IP. >>> How could I adapt this code to add logging of IP and or request into a >>> file? I looked at SecAuditLogParts and enabling everything I could not >>> see of it hit a rule. Currently this runs in detection mode. >>> I have logging enabled on this rule: >>> SecRule IP:SOMEPATHCOUNTER "@gt 120" >>> "phase:2,pause:100,deny,status:509,setenv:RATELIMITED,skip:1,log,id:10000003,msg:Sophie_10000003" >>> But would like an IP address logged when it was sent a 509 status message. >>> Still reading >>> https://www.feistyduck.com/library/modsecurity-handbook-free/online/ch04-logging.html >>> ! >> Since 509 is very specific, why not taking the IP from the normal access >> log of the web server? >> >> Regardsco >> >> Rainer |
