[Owasp-modsecurity-core-rule-set] RBL Lookup File - ip.pag help!

OSSEC junkie ossec.junkie at gmail.com
Mon Jan 25 11:14:30 EST 2010


Here is the ruleset below:
SecRule IP:PREVIOUS_RBL_CHECK "@eq 1"
"phase:1,t:none,pass,nolog,skipAfter:END_RBL_LOOKUP"

  SecRule REMOTE_ADDR "@rbl sbl-xbl.spamhaus.org"
"phase:1,t:none,log,auditlog,msg:'RBL Match for SPAM
Source',tag:'AUTOMATION/MALICIOUS',severity:'2',setvar:'tx.msg=%{rule
.msg}',setvar:tx.automation_score=+1,logdata:'%{TX.0}',setvar:tx.%{rule.id}-AUTOMATION/MALICIOUS-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var},setvar:ip.s
pammer=1,expirevar:ip.spammer=86400,setvar:ip.previous_rbl_check=1,expirevar:ip.previous_rbl_check=86400,skipAfter:END_RBL_CHECK"

  SecAction "phase:1.t:none,nolog,pass,setvar:ip.previous_rbl_check=1,expirevar:ip.previous_rbl_check=86400"

SecMarker END_RBL_LOOKUP

  SecRule IP:SPAMMER "@eq 1" "phase:1,t:none,log,auditlog,msg:'Request
from Known SPAM Source (Previous
RBLMatch)',tag:'AUTOMATION/MALICIOUS',severity:'2',setvar:'tx.msg=%{
rule.msg}',setvar:tx.automation_score=+1,logdata:'%{TX.0}',setvar:tx.%{rule.id}-AUTOMATION/MALICIOUS-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}"

SecMarker END_RBL_CHECK


On Mon, Jan 25, 2010 at 8:09 AM, Ryan Barnett <ryan.barnett at breach.com> wrote:
> On Monday 25 January 2010 11:05:31 am OSSEC junkie wrote:
>> All:
>>
>> I am using the RBL lookup and the ip.pag file is huge.  I thought this
>> would be recycled nightly but I guess not.  Any ideas or insight on
>> how to shrink would be great.  I could script the file to be deleted
>> nightly but just wanted to make sure there isn't something I need to
>> be doing but am not..
>>
>
> Please send the exact RBL rule(s) you are using.  More than likely, you will need to use
> some expirevar actions to clear these out more frequently.
>
> -Ryan
>
>
>


More information about the Owasp-modsecurity-core-rule-set mailing list