Odd rule 350000 issue

Spazholio · Unread post by **Spazholio** » Tue Jun 24, 2008 1:13 pm

Here's what I'm getting in my OSSEC HIDS hourly email:

[modsecurity] [client xxx.xxx.xxx.xxx] [domain www.domain.com] [403] [/20080624/20080624-1105/20080624-110535-uvomP0jpM6cAACZhqEoAAAAL] [file "/etc/httpd/modsecurity.d/00_asl_rbl.conf"] [line "23"] [id "350000"] [msg "RBL: sbl-xbl.spamhaus.org"] [severity "ALERT"] Access denied with code 403 (phase 2). Match of "rx 88.138.0.155" against "REMOTE_ADDR" required.

Now, the issues I'm noticing are this:

This isn't showing up in the Dashboard. I created a 00_asl_custom_exclude.conf (which contains: SecRuleRemoveById 350000)in the /etc/httpd/modsecurity.d dir in order to disable this rule, because it's firing on nearly every one of my domains, and has nothing to do with 88.138.0.155. That is not the IP that's getting reported. Heck, I use ModernBill as my billing software, and they were getting blocked from their IP (which isn't even close to 88.138.0.155).

My question is basically, how can I disable this rule permanently, or how can I determine just what the heck is making it fire? It's not matching on that IP, it's matching on something else. Can anyone shed some light on this?

Unread post by **scott** » Tue Jun 24, 2008 7:51 pm

You can disable RBL checks in /etc/asl/config, set the following:

MODSEC_00_RBL="off"

and run:
asl -s -f

Spazholio · Unread post by **Spazholio** » Tue Jun 24, 2008 10:13 pm

Is that actually advised? To disable a whole category of security checks? Or is RBL checking one of those that's not TOO bad to eliminate?

Unread post by **scott** » Wed Jun 25, 2008 7:17 am

IP's listed on the RBL are known sources of either spam, or malicious activity. Personally, yes, I think disabling it is a bad idea. If your users are coming from RBL sources, which isnt uncommon for a lot of international users, then using it might not be an option.

hostingguy · Unread post by **hostingguy** » Wed Jul 02, 2008 1:45 pm

We dont use the RBL on our servers, we figure if they are going to do anything bad they will get caught in a specific rule.

warrenc · Unread post by **warrenc** » Wed Jul 02, 2008 5:36 pm

I'm using that ruleset as well and get lots of the same alerts. I'm sure it's not too difficult to 'demote' them so that they don't fire off so many OSSEC emails, etc though. I have a ticket in regarding this, hopefully they will help but if not I'll dig into it a bit when I have some time.