[Owasp-modsecurity-core-rule-set] help with preventing entries to audit log

Tue Aug 9 10:02:55 EDT 2011

Looks like you put this rule in your 48 local exceptions file.  I would suggest you put it in a modsecurity_crs_15_customrules.conf file and change the phase to 1 (phase:1).  This will ensure your rule runs before the current rule that is triggering the alert.

-Ryan

From: Gil Vidals <gvidals at vmracks.com<mailto:gvidals at vmracks.com>>
Date: Tue, 9 Aug 2011 00:35:45 -0500
To: "owasp-modsecurity-core-rule-set at lists.owasp.org<mailto:owasp-modsecurity-core-rule-set at lists.owasp.org>" <owasp-modsecurity-core-rule-set at lists.owasp.org<mailto:owasp-modsecurity-core-rule-set at lists.owasp.org>>
Subject: Re: [Owasp-modsecurity-core-rule-set] help with preventing entries to audit log

Changing pass to allow didn't help.

I forgot to mention mod sec is operating under DetectionOnly mode for the time being. The debug log shows that the pattern does match, but there is still an audit log entry being made for "pingdom"!

Here is the output of the debug log:

[08/Aug/2011:21:51:24 --0700] [www.commq.org/sid#7fe3411dd3e0][rid#7fe341733ca0][/][5<http://www.commq.org/sid#7fe3411dd3e0][rid#7fe341733ca0][/][5>] Rule 7fe340b17a40: SecRule "REQUEST_HEADERS:User-Agent" "@rx pingdom" "phase:2,nolog,noauditlog,pass,ctl:auditEngine=Off"
[08/Aug/2011:21:51:24 --0700] [www.commq.org/sid#7fe3411dd3e0][rid#7fe341733ca0][/][4<http://www.commq.org/sid#7fe3411dd3e0][rid#7fe341733ca0][/][4>] Executing operator "rx" with param "pingdom" against REQUEST_HEADERS:User-Agent.
[08/Aug/2011:21:51:24 --0700] [www.commq.org/sid#7fe3411dd3e0][rid#7fe341733ca0][/][4<http://www.commq.org/sid#7fe3411dd3e0][rid#7fe341733ca0][/][4>] Warning. Pattern match "pingdom" at REQUEST_HEADERS:User-Agent. [file "/etc/apache2/modsecurity.d/base_rules/modsecurity_crs_48_local_exceptions.conf"] [line "69"]

On Sat, Aug 6, 2011 at 12:06 PM, Josh Amishav-Zlatin <jamuse at gmail.com<mailto:jamuse at gmail.com>> wrote:
What happens if you use allow instead of pass? Can you see what rules are firing in the debug log?

--
 - Josh

On Sat, Aug 6, 2011 at 12:09 AM, Gil Vidals <gvidals at vmracks.com<mailto:gvidals at vmracks.com>> wrote:
Thanks for the response. There must be something deeper going on here because even after adding the line you suggested, I'm still getting these entries after restarting apache:

--c073772f-B--
GET /account/login/?next=/ HTTP/1.0
User-Agent: Pingdom.com_bot_version_1.4_(http://www.pingdom.com/)
Host: blah.com<http://blah.com>

Why isn't this rule being applied as I thought. Is it time to turn on mod sec debugging?
  SecRule REQUEST_HEADERS:User-Agent "pingdom" "nolog,noauditlog,pass,ctl:auditEngine=Off"

Gil Vidals / VM Racks

On Fri, Aug 5, 2011 at 1:02 PM, Ryan Barnett <RBarnett at trustwave.com<mailto:RBarnett at trustwave.com>> wrote:
You should use the ctl action in your rule to turn off the audit engine -

SecRule REQUEST_HEADERS:User-Agent "pingdom" "nolog,noauditlog,pass,ctl:auditEngine=Off"

Due to the fact that the UA data is easily spoofed, I would recommend you also do a check on the IP range or something so that attackers aren't evading your logging by putting pingdom in the UA field.

Ryan

On Aug 5, 2011, at 12:42 PM, "Gil Vidals" <gvidals at vmracks.com<mailto:gvidals at vmracks.com><mailto:gvidals at vmracks.com<mailto:gvidals at vmracks.com>>> wrote:

Need help in preventing the log entry from the monitoring system at <http://pingdom.com> pingdom.com<http://pingdom.com><http://pingdom.com> because there are thousands of these entries per day. No matter, what I try, I can't prevent the entry from being logged. I'm using the anomaly scoring.

in modsecurity_crs_48_local_exceptions.conf:
SecRule REQUEST_HEADERS:User-Agent "pingdom" "nolog,noauditlog,pass"

And after restarting apache, I still am getting these entries:

--4489f76b-B--
GET /account/login/?next=/ HTTP/1.0
User-Agent: Pingdom.com<http://Pingdom.com>_bot_version_1.4_(<http://www.pingdom.com/>http://www.pingdom.com/)
Host: <http://blah.com> blah.com<http://blah.com><http://blah.com>

What else do you recommend I try?

--
Gil Vidals, VCP
<mailto:gvidals at vmracks.com<mailto:gvidals at vmracks.com>>gvidals at vmracks.com<mailto:gvidals at vmracks.com><mailto:gvidals at vmracks.com<mailto:gvidals at vmracks.com>>
<http://www.vmracks.com>www.vmracks.com<http://www.vmracks.com><http://www.vmracks.com> - VMware Hosting Service Provider
t. 760.705.4022<tel:760.705.4022> IM: <mailto:gilvidals at hotmail.com<mailto:gilvidals at hotmail.com>> gilvidals at hotmail.com<mailto:gilvidals at hotmail.com><mailto:gilvidals at hotmail.com<mailto:gilvidals at hotmail.com>>
[http://esx-hosting.vm-racks.com/images/VMracks/VMracks-logo.png]
HIPAA Compliant Hosting
VMware Hosting

CONFIDENTIALITY NOTICE: The information contained in this transmission may contain privileged and confidential information.  It is intended only for the use of the person(s) named above.  If you are not the intended recipient, please contact the sender by reply email and permanently delete the original message.

_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
Owasp-modsecurity-core-rule-set at lists.owasp.org<mailto:Owasp-modsecurity-core-rule-set at lists.owasp.org><mailto:Owasp-modsecurity-core-rule-set at lists.owasp.org<mailto:Owasp-modsecurity-core-rule-set at lists.owasp.org>>
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set

________________________________
This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.

--
Gil Vidals, VCP
gvidals at vmracks.com<mailto:gvidals at vmracks.com>
www.vmracks.com<http://www.vmracks.com> - VMware Hosting Service Provider
t. 760.705.4022<tel:760.705.4022> IM: gilvidals at hotmail.com<mailto:gilvidals at hotmail.com>

HIPAA Compliant Hosting
VMware Hosting

CONFIDENTIALITY NOTICE: The information contained in this transmission may contain privileged and confidential information.  It is intended only for the use of the person(s) named above.  If you are not the intended recipient, please contact the sender by reply email and permanently delete the original message.

_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
Owasp-modsecurity-core-rule-set at lists.owasp.org<mailto:Owasp-modsecurity-core-rule-set at lists.owasp.org>
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set

--
Gil Vidals, VCP
gvidals at vmracks.com<mailto:gvidals at vmracks.com>
www.vmracks.com<http://www.vmracks.com> - VMware Hosting Service Provider
t. 760.705.4022 IM: gilvidals at hotmail.com<mailto:gilvidals at hotmail.com>
[http://esx-hosting.vm-racks.com/images/VMracks/VMracks-logo.png]
HIPAA Compliant Hosting
VMware Hosting

CONFIDENTIALITY NOTICE: The information contained in this transmission may contain privileged and confidential information.  It is intended only for the use of the person(s) named above.  If you are not the intended recipient, please contact the sender by reply email and permanently delete the original message.

________________________________
This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.