which rules are triggering?

Community support forums for the free/delayed modsecurity rules feed. There is no such thing as a bad question here as long as it pertains to using the delayed modsecurity rules feed. Newbies feel free to get help getting started or asking questions that may be obvious.
jpkelly
Forum User
Forum User
Posts: 85
Joined: Sat Jan 20, 2007 6:57 pm

which rules are triggering?

Unread post by jpkelly »

I am seeing activity in the logs which shows clients getting blocked where I know this activity should be ok.
Also I am unable to view the server-status page even with my IP in the whitelist.
How can I tell which rules are getting triggered?
Here are audit_log entries:

Code: Select all

www.smallgod.net 76.14.57.52 - - [16/Mar/2011:19:28:39 --0700] "GET /server-info/ HTTP/1.1" 404 65113 "-" "-" a09nJkgKIkkAAHcHtyMAAAAG "-" /20110316/20110316-1928/20110316-192839-a09nJkgKIkkAAHcHtyMAAAAG 0 2623285 md5:97422f5878bbf22bff3c8064c93883e0 
make-one.co 76.90.211.164 - - [16/Mar/2011:19:30:06 --0700] "GET /contact-subscribe/?visual-editor=true HTTP/1.1" 500 37743 "-" "-" cIUdoUgKIkkAABzaEw0AAAAA "-" /20110316/20110316-1930/20110316-193006-cIUdoUgKIkkAABzaEw0AAAAA 0 2246 md5:77c3ff3123167de4bbd25054a242d13f 
www.smallgod.net 76.14.57.52 - - [16/Mar/2011:19:30:11 --0700] "GET /server-status/ HTTP/1.1" 401 1214 "-" "-" cNlfvEgKIkkAAHb@qTkAAAAF "-" /20110316/20110316-1930/20110316-193011-cNlfvEgKIkkAAHb@qTkAAAAF 0 1433 md5:056355727a4514ca1cec861e6d8b8108 
www.foncocreative.net 87.118.102.188 - - [16/Mar/2011:19:31:33 --0700] "POST /indieforum/posting.php?mode=reply&f=3&sid=a799a44077287a32f9e2e005848da54e&t=1353 HTTP/1.0" 403 962 "-" "-" dbi8skgKIkkAAD1vOrsAAAAC "-" /20110316/20110316-1931/20110316-193133-dbi8skgKIkkAAD1vOrsAAAAC 0 9731 md5:fc9582a87c8deb6c777e3583eaf29c28 
make-one.co 76.90.211.164 - - [16/Mar/2011:19:33:01 --0700] "GET /contact-subscribe/?visual-editor=true HTTP/1.1" 500 37690 "-" "-" evClw0gKIkkAAHcN3kEAAAAJ "-" /20110316/20110316-1933/20110316-193301-evClw0gKIkkAAHcN3kEAAAAJ 0 2246 md5:0373ad735f3029bb532e22f835236ee5 
make-one.co 76.90.211.164 - - [16/Mar/2011:19:37:08 --0700] "GET /contact-subscribe/?visual-editor=true HTTP/1.1" 500 37659 "-" "-" iaZmnEgKIkkAAGcbZ6AAAAAA "-" /20110316/20110316-1937/20110316-193708-iaZmnEgKIkkAAGcbZ6AAAAAA 0 2221 md5:015d8f335f581528770ee310140b52e5 
Highland
Forum Regular
Forum Regular
Posts: 674
Joined: Mon Apr 10, 2006 12:55 pm

Re: which rules are triggering?

Unread post by Highland »

You're looking at the Apache logs. By default, full modsec logs are kept in /var/asl/data/audit and your Apache logs tell you what file to look at. So
www.smallgod.net 76.14.57.52 - - [16/Mar/2011:19:28:39 --0700] "GET /server-info/ HTTP/1.1" 404 65113 "-" "-" a09nJkgKIkkAAHcHtyMAAAAG "-" /20110316/20110316-1928/20110316-192839-a09nJkgKIkkAAHcHtyMAAAAG 0 2623285 md5:97422f5878bbf22bff3c8064c93883e0
means your event was logged in
/var/asl/data/audit/20110316/20110316-1928/20110316-192839-a09nJkgKIkkAAHcHtyMAAAAG

Honestly, this is the hard way to do it. The ASL panel (https://<your ip here>:30000) is the easy way since it shows you all events and gives you one click access to see logs (by domain!) and to report false positives
"Its not a mac. I run linux... I'm actually cool." - scott
jpkelly
Forum User
Forum User
Posts: 85
Joined: Sat Jan 20, 2007 6:57 pm

Re: which rules are triggering?

Unread post by jpkelly »

Is there a free version of the ASL panel?
Highland
Forum Regular
Forum Regular
Posts: 674
Joined: Mon Apr 10, 2006 12:55 pm

Re: which rules are triggering?

Unread post by Highland »

Gah. Forgot these were free rules. I don't think there is.

At any rate you still have the physical logs
"Its not a mac. I run linux... I'm actually cool." - scott
scott
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 8355
Joined: Wed Dec 31, 1969 8:00 pm
Location: earth
Contact:

Re: which rules are triggering?

Unread post by scott »

Theres a free 30 day trial
jpkelly
Forum User
Forum User
Posts: 85
Joined: Sat Jan 20, 2007 6:57 pm

Re: which rules are triggering?

Unread post by jpkelly »

hmmm... :wink:
jpkelly
Forum User
Forum User
Posts: 85
Joined: Sat Jan 20, 2007 6:57 pm

Re: which rules are triggering?

Unread post by jpkelly »

How do I add a 30 day trial to my profile. I tried both Google Checkout and PayPal but am unable to add a subscription.
Post Reply