Plesk 12 log
Posted: Tue Apr 26, 2016 12:26 pm
Hi,
I just started using the free 10 day trial.
I have Plesk 12.5 on CentOS 7
In detect only mod - it seems to be working fine, but I have questions on something in the log, and what would happen if I switched it on from detect only.
The log shows (multiple times)..
==============
Message: [file "/etc/httpd/conf/modsecurity.d/rules/atomic/modsec/20_asl_useragents.conf"] [line "369"] [id "397989"] [rev "1"] [msg "Atomicorp.com WAF Rules: Fake MSIE 6.0 detected"] [severity "WARNING"] Warning. Match of "rx (MS Web Services Client Protocol|WormlyBot)" against "REQUEST_HEADERS:User-Agent" required.
Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client %s] ModSecurity: %s%s [uri "%s"]%s
Stopwatch: 1461675133625308 2960 (- - -)
Stopwatch2: 1461675133625308 2960; combined=1391, p1=72, p2=1254, p3=16, p4=29, p5=20, sr=6, sw=0, l=0, gc=0
Producer: ModSecurity for Apache/2.9.1 (http://www.modsecurity.org/); 0.
Server: Apache
Engine-Mode: "DETECTION_ONLY"
===============
What is this telling me?
It looks like ALS detected the wormly bot pretending to be MSIE 6.0 - correct?
What would happen if ALS was actually on? Would it block this?
What is wormly bot (besides a bot... is it destructive?
Thanks!
I just started using the free 10 day trial.
I have Plesk 12.5 on CentOS 7
In detect only mod - it seems to be working fine, but I have questions on something in the log, and what would happen if I switched it on from detect only.
The log shows (multiple times)..
==============
Message: [file "/etc/httpd/conf/modsecurity.d/rules/atomic/modsec/20_asl_useragents.conf"] [line "369"] [id "397989"] [rev "1"] [msg "Atomicorp.com WAF Rules: Fake MSIE 6.0 detected"] [severity "WARNING"] Warning. Match of "rx (MS Web Services Client Protocol|WormlyBot)" against "REQUEST_HEADERS:User-Agent" required.
Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client %s] ModSecurity: %s%s [uri "%s"]%s
Stopwatch: 1461675133625308 2960 (- - -)
Stopwatch2: 1461675133625308 2960; combined=1391, p1=72, p2=1254, p3=16, p4=29, p5=20, sr=6, sw=0, l=0, gc=0
Producer: ModSecurity for Apache/2.9.1 (http://www.modsecurity.org/); 0.
Server: Apache
Engine-Mode: "DETECTION_ONLY"
===============
What is this telling me?
It looks like ALS detected the wormly bot pretending to be MSIE 6.0 - correct?
What would happen if ALS was actually on? Would it block this?
What is wormly bot (besides a bot... is it destructive?
Thanks!