|
From: Dionysios G. S. <ds...@no...> - 2004-05-26 15:12:01
|
Ivan Ristic wrote: > Dionysios G. Synodinos wrote: > >> I use the following "big test": >> >> SecFilterSelective REMOTE_ADDR "!^148.101.211" chain >> SecFilterSelective SCRIPT_FILENAME "(admin\.php|user\.php)$" >> >> which restricts access to admin.php & user.php (*) from outside my LAN. >> >> It seems that since the first filter matches for any other request >> from the internet, it is recorded in the audit_log, even if the "big >> test" doesn't match. >> >> Is there a way to avoid this behaviour since it clutters my logs with >> unneccesary information..? >> >> I use "SecAuditEngine RelevantOnly" > > > That sounds like a bug to me, so you can count on it > being fixed before 1.8. When one of the chained rules fails then the message that is recorded in the audit_log informs that: mod_security-message: Access denied with code 403. Pattern match BLAH BAH BLAH If the whole chain fails then it adds a line (action): mod_security-message: Access denied with code 403. Pattern match BLAH BLAH BLAH mod_security-action: 403 It all depends on what your definition of what "RelevantOnly" means. If it is "relevant" to record any match in a chain even if the whole chain fails then it is not a bug. I would hope thow that something like: SecAuditEngine ActionOnly & SecAuditEngine MessageOnly comes ups that will assist in fine tuning of what is recorded in the audit_log. Anyway I tried to reverse the rules to see what happens and the result was that NOTHING IS RECORDED in the audit_log. I attach a piece of the debug_log. Kind regards, -dsin |
