mod-security-users Mailing List for ModSecurity (Page 579)

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Ivan Ristic wrote:

> Dionysios G. Synodinos wrote:
>
>> I use the following "big test":
>>
>>    SecFilterSelective REMOTE_ADDR "!^148.101.211" chain
>>    SecFilterSelective SCRIPT_FILENAME "(admin\.php|user\.php)$"
>>
>> which restricts access to admin.php & user.php (*) from outside my LAN.
>>
>> It seems that since the first filter matches for any other request 
>> from the internet, it is recorded in the audit_log, even if the "big 
>> test" doesn't match.
>>
>> Is there a way to avoid this behaviour since it clutters my logs with 
>> unneccesary information..?
>>
>> I use "SecAuditEngine RelevantOnly"
>
>
>   That sounds like a bug to me, so you can count on it
>   being fixed before 1.8.

When one of the chained rules fails then the message that is recorded in the audit_log informs that:

	mod_security-message: Access denied with code 403. Pattern match BLAH BAH BLAH 

If the whole chain fails then it adds a line (action):

	mod_security-message: Access denied with code 403. Pattern match BLAH BLAH BLAH 
	mod_security-action: 403

It all depends on what your definition of what "RelevantOnly" means. If it is "relevant" to record any match in a chain even if the whole chain fails then it is not a bug. I would hope thow that something like:

	SecAuditEngine ActionOnly &
	SecAuditEngine MessageOnly

comes ups that will assist in fine tuning of what is recorded in the audit_log.

Anyway I tried to reverse the rules to see what happens and the result was that NOTHING IS RECORDED in the audit_log. I attach a piece of the debug_log.

Kind regards,
-dsin

2003	Jan	Feb	Mar	Apr	May	Jun (2)	Jul (17)	Aug (7)	Sep (8)	Oct (11)	Nov (14)	Dec (19)
2004	Jan (46)	Feb (14)	Mar (20)	Apr (48)	May (15)	Jun (20)	Jul (36)	Aug (24)	Sep (31)	Oct (28)	Nov (23)	Dec (12)
2005	Jan (69)	Feb (61)	Mar (82)	Apr (53)	May (26)	Jun (71)	Jul (27)	Aug (52)	Sep (28)	Oct (49)	Nov (104)	Dec (74)
2006	Jan (61)	Feb (148)	Mar (82)	Apr (139)	May (65)	Jun (116)	Jul (92)	Aug (101)	Sep (84)	Oct (103)	Nov (174)	Dec (102)
2007	Jan (166)	Feb (161)	Mar (181)	Apr (152)	May (192)	Jun (250)	Jul (127)	Aug (165)	Sep (97)	Oct (135)	Nov (206)	Dec (56)
2008	Jan (160)	Feb (135)	Mar (98)	Apr (89)	May (115)	Jun (95)	Jul (188)	Aug (167)	Sep (153)	Oct (84)	Nov (82)	Dec (85)
2009	Jan (139)	Feb (133)	Mar (128)	Apr (105)	May (135)	Jun (79)	Jul (92)	Aug (134)	Sep (73)	Oct (112)	Nov (159)	Dec (80)
2010	Jan (100)	Feb (116)	Mar (130)	Apr (59)	May (88)	Jun (59)	Jul (69)	Aug (67)	Sep (82)	Oct (76)	Nov (59)	Dec (34)
2011	Jan (84)	Feb (74)	Mar (81)	Apr (94)	May (188)	Jun (72)	Jul (118)	Aug (109)	Sep (111)	Oct (80)	Nov (51)	Dec (44)
2012	Jan (80)	Feb (123)	Mar (46)	Apr (12)	May (40)	Jun (62)	Jul (95)	Aug (66)	Sep (65)	Oct (53)	Nov (42)	Dec (60)
2013	Jan (96)	Feb (96)	Mar (108)	Apr (72)	May (115)	Jun (111)	Jul (114)	Aug (87)	Sep (93)	Oct (97)	Nov (104)	Dec (82)
2014	Jan (96)	Feb (77)	Mar (71)	Apr (40)	May (48)	Jun (78)	Jul (54)	Aug (44)	Sep (58)	Oct (79)	Nov (51)	Dec (52)
2015	Jan (55)	Feb (59)	Mar (48)	Apr (40)	May (45)	Jun (63)	Jul (36)	Aug (49)	Sep (35)	Oct (58)	Nov (21)	Dec (47)
2016	Jan (35)	Feb (81)	Mar (43)	Apr (41)	May (77)	Jun (52)	Jul (39)	Aug (34)	Sep (107)	Oct (67)	Nov (54)	Dec (20)
2017	Jan (99)	Feb (37)	Mar (86)	Apr (47)	May (57)	Jun (55)	Jul (34)	Aug (31)	Sep (16)	Oct (49)	Nov (53)	Dec (33)
2018	Jan (25)	Feb (11)	Mar (79)	Apr (77)	May (5)	Jun (19)	Jul (17)	Aug (7)	Sep (13)	Oct (22)	Nov (13)	Dec (68)
2019	Jan (44)	Feb (17)	Mar (40)	Apr (39)	May (18)	Jun (14)	Jul (20)	Aug (31)	Sep (11)	Oct (35)	Nov (3)	Dec (10)
2020	Jan (32)	Feb (16)	Mar (10)	Apr (22)	May (2)	Jun (34)	Jul (1)	Aug (8)	Sep (36)	Oct (16)	Nov (13)	Dec (10)
2021	Jan (16)	Feb (23)	Mar (45)	Apr (28)	May (6)	Jun (17)	Jul (8)	Aug (1)	Sep (2)	Oct (35)	Nov	Dec (5)
2022	Jan	Feb (17)	Mar (23)	Apr (23)	May (9)	Jun (8)	Jul	Aug	Sep (7)	Oct (5)	Nov (16)	Dec (4)
2023	Jan	Feb	Mar (3)	Apr	May (1)	Jun (4)	Jul (1)	Aug	Sep (2)	Oct (1)	Nov	Dec
2024	Jan (7)	Feb (13)	Mar (18)	Apr	May	Jun	Jul	Aug	Sep (2)	Oct (1)	Nov (5)	Dec (3)
2025	Jan	Feb	Mar	Apr (12)	May (12)	Jun (2)	Jul (3)	Aug	Sep	Oct	Nov	Dec

mod-security-users Mailing List for ModSecurity (Page 579)

mod-security-users — General discussion about mod_security