[Owasp-modsecurity-core-rule-set] RBL Lookup File - ip.pag help!

OSSEC junkie ossec.junkie at gmail.com
Tue Jan 26 15:06:07 EST 2010


Sorry to bug but do you have any insight as to what could be wrong
with the configuration?

Thanks!


On Mon, Jan 25, 2010 at 8:14 AM, OSSEC junkie <ossec.junkie at gmail.com> wrote:
> Here is the ruleset below:
> SecRule IP:PREVIOUS_RBL_CHECK "@eq 1"
> "phase:1,t:none,pass,nolog,skipAfter:END_RBL_LOOKUP"
>
>  SecRule REMOTE_ADDR "@rbl sbl-xbl.spamhaus.org"
> "phase:1,t:none,log,auditlog,msg:'RBL Match for SPAM
> Source',tag:'AUTOMATION/MALICIOUS',severity:'2',setvar:'tx.msg=%{rule
> .msg}',setvar:tx.automation_score=+1,logdata:'%{TX.0}',setvar:tx.%{rule.id}-AUTOMATION/MALICIOUS-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var},setvar:ip.s
> pammer=1,expirevar:ip.spammer=86400,setvar:ip.previous_rbl_check=1,expirevar:ip.previous_rbl_check=86400,skipAfter:END_RBL_CHECK"
>
>  SecAction "phase:1.t:none,nolog,pass,setvar:ip.previous_rbl_check=1,expirevar:ip.previous_rbl_check=86400"
>
> SecMarker END_RBL_LOOKUP
>
>  SecRule IP:SPAMMER "@eq 1" "phase:1,t:none,log,auditlog,msg:'Request
> from Known SPAM Source (Previous
> RBLMatch)',tag:'AUTOMATION/MALICIOUS',severity:'2',setvar:'tx.msg=%{
> rule.msg}',setvar:tx.automation_score=+1,logdata:'%{TX.0}',setvar:tx.%{rule.id}-AUTOMATION/MALICIOUS-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}"
>
> SecMarker END_RBL_CHECK
>
>
> On Mon, Jan 25, 2010 at 8:09 AM, Ryan Barnett <ryan.barnett at breach.com> wrote:
>> On Monday 25 January 2010 11:05:31 am OSSEC junkie wrote:
>>> All:
>>>
>>> I am using the RBL lookup and the ip.pag file is huge.  I thought this
>>> would be recycled nightly but I guess not.  Any ideas or insight on
>>> how to shrink would be great.  I could script the file to be deleted
>>> nightly but just wanted to make sure there isn't something I need to
>>> be doing but am not..
>>>
>>
>> Please send the exact RBL rule(s) you are using.  More than likely, you will need to use
>> some expirevar actions to clear these out more frequently.
>>
>> -Ryan
>>
>>
>>
>


More information about the Owasp-modsecurity-core-rule-set mailing list