Community support forums for the free/delayed modsecurity rules feed. There is no such thing as a bad question here as long as it pertains to using the delayed modsecurity rules feed. Newbies feel free to get help getting started or asking questions that may be obvious.
jpkelly
Forum User
Posts: 85 Joined: Sat Jan 20, 2007 6:57 pm
Unread post
by jpkelly » Wed Mar 16, 2011 10:42 pm
I am seeing activity in the logs which shows clients getting blocked where I know this activity should be ok.
Also I am unable to view the server-status page even with my IP in the whitelist.
How can I tell which rules are getting triggered?
Here are audit_log entries:
Code: Select all
www.smallgod.net 76.14.57.52 - - [16/Mar/2011:19:28:39 --0700] "GET /server-info/ HTTP/1.1" 404 65113 "-" "-" a09nJkgKIkkAAHcHtyMAAAAG "-" /20110316/20110316-1928/20110316-192839-a09nJkgKIkkAAHcHtyMAAAAG 0 2623285 md5:97422f5878bbf22bff3c8064c93883e0
make-one.co 76.90.211.164 - - [16/Mar/2011:19:30:06 --0700] "GET /contact-subscribe/?visual-editor=true HTTP/1.1" 500 37743 "-" "-" cIUdoUgKIkkAABzaEw0AAAAA "-" /20110316/20110316-1930/20110316-193006-cIUdoUgKIkkAABzaEw0AAAAA 0 2246 md5:77c3ff3123167de4bbd25054a242d13f
www.smallgod.net 76.14.57.52 - - [16/Mar/2011:19:30:11 --0700] "GET /server-status/ HTTP/1.1" 401 1214 "-" "-" cNlfvEgKIkkAAHb@qTkAAAAF "-" /20110316/20110316-1930/20110316-193011-cNlfvEgKIkkAAHb@qTkAAAAF 0 1433 md5:056355727a4514ca1cec861e6d8b8108
www.foncocreative.net 87.118.102.188 - - [16/Mar/2011:19:31:33 --0700] "POST /indieforum/posting.php?mode=reply&f=3&sid=a799a44077287a32f9e2e005848da54e&t=1353 HTTP/1.0" 403 962 "-" "-" dbi8skgKIkkAAD1vOrsAAAAC "-" /20110316/20110316-1931/20110316-193133-dbi8skgKIkkAAD1vOrsAAAAC 0 9731 md5:fc9582a87c8deb6c777e3583eaf29c28
make-one.co 76.90.211.164 - - [16/Mar/2011:19:33:01 --0700] "GET /contact-subscribe/?visual-editor=true HTTP/1.1" 500 37690 "-" "-" evClw0gKIkkAAHcN3kEAAAAJ "-" /20110316/20110316-1933/20110316-193301-evClw0gKIkkAAHcN3kEAAAAJ 0 2246 md5:0373ad735f3029bb532e22f835236ee5
make-one.co 76.90.211.164 - - [16/Mar/2011:19:37:08 --0700] "GET /contact-subscribe/?visual-editor=true HTTP/1.1" 500 37659 "-" "-" iaZmnEgKIkkAAGcbZ6AAAAAA "-" /20110316/20110316-1937/20110316-193708-iaZmnEgKIkkAAGcbZ6AAAAAA 0 2221 md5:015d8f335f581528770ee310140b52e5
Highland
Forum Regular
Posts: 674 Joined: Mon Apr 10, 2006 12:55 pm
Unread post
by Highland » Thu Mar 17, 2011 8:08 am
You're looking at the Apache logs. By default, full modsec logs are kept in /var/asl/data/audit and your Apache logs tell you what file to look at. So
www.smallgod.net 76.14.57.52 - - [16/Mar/2011:19:28:39 --0700] "GET /server-info/ HTTP/1.1" 404 65113 "-" "-" a09nJkgKIkkAAHcHtyMAAAAG "-"
/20110316/20110316-1928/20110316-192839-a09nJkgKIkkAAHcHtyMAAAAG 0 2623285 md5:97422f5878bbf22bff3c8064c93883e0
means your event was logged in
/var/asl/data/audit/20110316/20110316-1928/20110316-192839-a09nJkgKIkkAAHcHtyMAAAAG
Honestly, this is the hard way to do it. The ASL panel (https://<your ip here>:30000) is the easy way since it shows you all events and gives you one click access to see logs (by domain!) and to report false positives
"Its not a mac. I run linux... I'm
actually cool." -
scott
jpkelly
Forum User
Posts: 85 Joined: Sat Jan 20, 2007 6:57 pm
Unread post
by jpkelly » Thu Mar 17, 2011 1:57 pm
Is there a free version of the ASL panel?
Highland
Forum Regular
Posts: 674 Joined: Mon Apr 10, 2006 12:55 pm
Unread post
by Highland » Thu Mar 17, 2011 2:18 pm
Gah. Forgot these were free rules. I don't think there is.
At any rate you still have the physical logs
"Its not a mac. I run linux... I'm
actually cool." -
scott
scott
Atomicorp Staff - Site Admin
Posts: 8355 Joined: Wed Dec 31, 1969 8:00 pm
Location: earth
Contact:
Unread post
by scott » Thu Mar 17, 2011 3:14 pm
Theres a free 30 day trial
jpkelly
Forum User
Posts: 85 Joined: Sat Jan 20, 2007 6:57 pm
Unread post
by jpkelly » Thu Mar 17, 2011 9:32 pm
How do I add a 30 day trial to my profile. I tried both Google Checkout and PayPal but am unable to add a subscription.