Page 1 of 1

which rules are triggering?

Posted: Wed Mar 16, 2011 10:42 pm
by jpkelly
I am seeing activity in the logs which shows clients getting blocked where I know this activity should be ok.
Also I am unable to view the server-status page even with my IP in the whitelist.
How can I tell which rules are getting triggered?
Here are audit_log entries:

Code: Select all

www.smallgod.net 76.14.57.52 - - [16/Mar/2011:19:28:39 --0700] "GET /server-info/ HTTP/1.1" 404 65113 "-" "-" a09nJkgKIkkAAHcHtyMAAAAG "-" /20110316/20110316-1928/20110316-192839-a09nJkgKIkkAAHcHtyMAAAAG 0 2623285 md5:97422f5878bbf22bff3c8064c93883e0 
make-one.co 76.90.211.164 - - [16/Mar/2011:19:30:06 --0700] "GET /contact-subscribe/?visual-editor=true HTTP/1.1" 500 37743 "-" "-" cIUdoUgKIkkAABzaEw0AAAAA "-" /20110316/20110316-1930/20110316-193006-cIUdoUgKIkkAABzaEw0AAAAA 0 2246 md5:77c3ff3123167de4bbd25054a242d13f 
www.smallgod.net 76.14.57.52 - - [16/Mar/2011:19:30:11 --0700] "GET /server-status/ HTTP/1.1" 401 1214 "-" "-" cNlfvEgKIkkAAHb@qTkAAAAF "-" /20110316/20110316-1930/20110316-193011-cNlfvEgKIkkAAHb@qTkAAAAF 0 1433 md5:056355727a4514ca1cec861e6d8b8108 
www.foncocreative.net 87.118.102.188 - - [16/Mar/2011:19:31:33 --0700] "POST /indieforum/posting.php?mode=reply&f=3&sid=a799a44077287a32f9e2e005848da54e&t=1353 HTTP/1.0" 403 962 "-" "-" dbi8skgKIkkAAD1vOrsAAAAC "-" /20110316/20110316-1931/20110316-193133-dbi8skgKIkkAAD1vOrsAAAAC 0 9731 md5:fc9582a87c8deb6c777e3583eaf29c28 
make-one.co 76.90.211.164 - - [16/Mar/2011:19:33:01 --0700] "GET /contact-subscribe/?visual-editor=true HTTP/1.1" 500 37690 "-" "-" evClw0gKIkkAAHcN3kEAAAAJ "-" /20110316/20110316-1933/20110316-193301-evClw0gKIkkAAHcN3kEAAAAJ 0 2246 md5:0373ad735f3029bb532e22f835236ee5 
make-one.co 76.90.211.164 - - [16/Mar/2011:19:37:08 --0700] "GET /contact-subscribe/?visual-editor=true HTTP/1.1" 500 37659 "-" "-" iaZmnEgKIkkAAGcbZ6AAAAAA "-" /20110316/20110316-1937/20110316-193708-iaZmnEgKIkkAAGcbZ6AAAAAA 0 2221 md5:015d8f335f581528770ee310140b52e5 

Re: which rules are triggering?

Posted: Thu Mar 17, 2011 8:08 am
by Highland
You're looking at the Apache logs. By default, full modsec logs are kept in /var/asl/data/audit and your Apache logs tell you what file to look at. So
www.smallgod.net 76.14.57.52 - - [16/Mar/2011:19:28:39 --0700] "GET /server-info/ HTTP/1.1" 404 65113 "-" "-" a09nJkgKIkkAAHcHtyMAAAAG "-" /20110316/20110316-1928/20110316-192839-a09nJkgKIkkAAHcHtyMAAAAG 0 2623285 md5:97422f5878bbf22bff3c8064c93883e0
means your event was logged in
/var/asl/data/audit/20110316/20110316-1928/20110316-192839-a09nJkgKIkkAAHcHtyMAAAAG

Honestly, this is the hard way to do it. The ASL panel (https://<your ip here>:30000) is the easy way since it shows you all events and gives you one click access to see logs (by domain!) and to report false positives

Re: which rules are triggering?

Posted: Thu Mar 17, 2011 1:57 pm
by jpkelly
Is there a free version of the ASL panel?

Re: which rules are triggering?

Posted: Thu Mar 17, 2011 2:18 pm
by Highland
Gah. Forgot these were free rules. I don't think there is.

At any rate you still have the physical logs

Re: which rules are triggering?

Posted: Thu Mar 17, 2011 3:14 pm
by scott
Theres a free 30 day trial

Re: which rules are triggering?

Posted: Thu Mar 17, 2011 3:27 pm
by jpkelly
hmmm... :wink:

Re: which rules are triggering?

Posted: Thu Mar 17, 2011 9:32 pm
by jpkelly
How do I add a 30 day trial to my profile. I tried both Google Checkout and PayPal but am unable to add a subscription.