[Owasp-modsecurity-core-rule-set] Question about RBL Match for SPAM Source Rule
OSSEC junkie
ossec.junkie at gmail.com
Wed Dec 9 02:57:15 EST 2009
All:
I am testing out this rule in our environment and wondered if this
rule is a simple add into the /base_rules folder then restart Apache
for this rule to take affect? I removed the block action right now so
I can gauge the traffic going through and operate in a pass-through
type of configuration but have yet to see any sort of RBL action in
the logs. Any ideas? I know we get lots of activity from IP
Addresses that are known bad according to spamhaus.
SecRule &IP:SPAMMER "@eq 0"
"chain,phase:1,t:none,block,nolog,auditlog,msg:'RBL Match for SPAM
Source',tag:'AUTOMATION/MALICIOUS',severity:'2',skipAfter:END_RBL_CHECK"
SecRule REMOTE_ADDR "@rbl sbl-xbl.spamhaus.org" \
"t:none,setvar:'tx.msg=%{rule.msg}',setvar:tx.automation_score=+1,setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}=%{matched_var_name}=%{matched_var}',setvar:ip.spammer=1,expirevar:ip.spammer=86400"
SecRule IP:SPAMMER "@eq 1"
"phase:1,t:none,block,nolog,auditlog,msg:'RBL Match for SPAM
Source',tag:'AUTOMATION/MALICIOUS',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.automation_score=+1,setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}=%{matched_var_name}=%{matched_var}'"
SecMarker END_RBL_CHECK
Thanks
More information about the Owasp-modsecurity-core-rule-set
mailing list