|
From: Chaim S. <ch...@ch...> - 2019-03-13 12:49:15
|
Yes!
It is somewhat unclear what exactly you're looking for based on your
configuration. If you just want to disable the rule, then you can use
(assuming CRS 3.x):
SecRuleRemoveById 913100
If you want it to continue to audit, add to the anomaly score and block
based on this, but not log, then you can use SecRuleUpdateActionByID
SecRuleUpdateActionById 913100 "block,
t:none,t:lowercase,nolog,severity:'CRITICAL',
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',
setvar:'tx.%{rule.id}-OWASP_CRS/AUTOMATION/SECURITY_SCANNER-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}',setvar:'ip.reput_block_flag=1',
setvar:'ip.reput_block_reason=%{rule.msg}',expirevar:'ip.reput_block_flag=%{tx.reput_block_duration}'"
Of note, SecRuleUpdateActionById and SecRuleRemoveByID should be in
RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf, i.e after your rules. For more
information on why, see
https://github.com/SpiderLabs/owasp-modsecurity-crs/blob/v3.2/dev/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example
On Wed, Mar 13, 2019 at 2:22 AM Eero Volotinen <eer...@ik...>
wrote:
> Hi List,
>
> Is there easy way to no log attacks from scanners-user-agents.data?
>
> .. due to log flood ..
>
> --
> Eero
> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> http://www.modsecurity.org/projects/commercial/rules/
> http://www.modsecurity.org/projects/commercial/support/
>
--
--
Chaim Sanders
http://www.ChaimSanders.com
|
