Re: Giving full access / avoiding logging to acertain IP Address

> Jean-Francois wrote:
> 
> Dear all,
> 
> I'm new to mod_security 2 (installed on Apache 2.0x).

Welcome!

> 
> I'd like to by-pass any core rule defined by mod_security for one
> specific IP Address, and also avoid to log information concerning
> accesses from this IP address
> 
> The main reason is to avoid to populate logfiles with unsuseful
> information (the IP address is totally trusted) and give full access
> for this super-trusted computer.
> 
> So I created the following rule and placed into my httpd.conf:
> 
> SecRule REMOTE_ADDR "^192\.168\.0\.22$" "noauditlog,nolog,allow"
> 
> But when I'm trying to reach an URL containing, for instance, the
> chain "/etc/passwd", I get an internal error, and the access is logged
> into the audit log file.
> 
> Is it possible to totally bypasse core rules and completely avoid logging
> ?

Bypassing core rules requires being executed before them. Two things to 
consider in this respect are:

1. Add a phase action to the rule to ensure it happens early:
SecRule REMOTE_ADDR "^192\.168\.0\.22$" "noauditlog,nolog,allow,phase:1"

2. Place it early. Near the top of file 
modsecurity_crs_20_protocl_violations.conf should do fine

If you want to use your own files, ensure that you include it in httpd.conf 
before the core rule set.

~ Ofer


-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642