Re: mod-security-users Digest, Vol 6, Issue 22

Ivan Ristic wrote:
> On 11/21/06, Dan Rossi <spam@xxxxxxxxxxxxxxxx> wrote:
>>
>
> I don't think there's anything you can do about it. Not having an
> User-Agent is perfectly legal as far as HTTP is concerned. You could
> try to allow such clients only from specific IP addresses, for
> example.

ok, just using some default rules.

>
>
>>
>
> I am not sure what problem you are describing. Can you be more 
> specific please?

Ok a rule for a cookie data check had a log,pass action was causing a 
500 status from the default action deny,log,status:500 etc, i was also 
getting a default status of 403 when i set the default action to 
"auditlog,pass" so i can see what urls should be getting through but are 
tripping the audit log, so still allow the traffic until i tweak 
everything.

>
> Both ModSecurity 1.9.x and 2.x provide equal capabilities when it
> comes to rule overriding. You have options to either remove all rules
> and start from scratch, or remove only some rules (by their specific
> ID, ID range, or keyword that appears in the message). Look up
> SecRuleRemoveById and SecRuleRemoveByMsg in the manual. In both cases
> you can add new rules as you are pleased.
>
Ok these two rulesets allow for remove all and some rules in a location 
/ virtualhost

>
> You can implement that via en external script using the exec action.
> In general it's not a very good idea unless you implement throttling
> too, ie have a mechanism that will prevent uncontrolled sending of
> thousands of emails.
>

I could look at some kind of "buffered smtp appender", what i was asking 
specicially how are we able to send the message as an argument to a perl 
script ie "deny,log,status:500,send:alert.pl themessagevarhere". I only 
really need this for the start , as it seems im getting alot of 
errornous audits which should be letting traffic through so i need to be 
aware of it so take action and tweak things.


-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV