store | blogs | forums | twitter | facebook | wiki | mailing lists | downloads | support portal
Atomic Secure Linux
It is currently Fri Apr 18, 2014 1:30 am

» Feed - Atomicorp

All times are UTC - 5 hours [ DST ]




Post new topic Reply to topic  [ 7 posts ] 
Author Message
 Post subject: which rules are triggering?
Unread postPosted: Wed Mar 16, 2011 10:42 pm 
Offline
Forum User
Forum User

Joined: Sat Jan 20, 2007 6:57 pm
Posts: 83
I am seeing activity in the logs which shows clients getting blocked where I know this activity should be ok.
Also I am unable to view the server-status page even with my IP in the whitelist.
How can I tell which rules are getting triggered?
Here are audit_log entries:
Code:
www.smallgod.net 76.14.57.52 - - [16/Mar/2011:19:28:39 --0700] "GET /server-info/ HTTP/1.1" 404 65113 "-" "-" a09nJkgKIkkAAHcHtyMAAAAG "-" /20110316/20110316-1928/20110316-192839-a09nJkgKIkkAAHcHtyMAAAAG 0 2623285 md5:97422f5878bbf22bff3c8064c93883e0
make-one.co 76.90.211.164 - - [16/Mar/2011:19:30:06 --0700] "GET /contact-subscribe/?visual-editor=true HTTP/1.1" 500 37743 "-" "-" cIUdoUgKIkkAABzaEw0AAAAA "-" /20110316/20110316-1930/20110316-193006-cIUdoUgKIkkAABzaEw0AAAAA 0 2246 md5:77c3ff3123167de4bbd25054a242d13f
www.smallgod.net 76.14.57.52 - - [16/Mar/2011:19:30:11 --0700] "GET /server-status/ HTTP/1.1" 401 1214 "-" "-" cNlfvEgKIkkAAHb@qTkAAAAF "-" /20110316/20110316-1930/20110316-193011-cNlfvEgKIkkAAHb@qTkAAAAF 0 1433 md5:056355727a4514ca1cec861e6d8b8108
www.foncocreative.net 87.118.102.188 - - [16/Mar/2011:19:31:33 --0700] "POST /indieforum/posting.php?mode=reply&f=3&sid=a799a44077287a32f9e2e005848da54e&t=1353 HTTP/1.0" 403 962 "-" "-" dbi8skgKIkkAAD1vOrsAAAAC "-" /20110316/20110316-1931/20110316-193133-dbi8skgKIkkAAD1vOrsAAAAC 0 9731 md5:fc9582a87c8deb6c777e3583eaf29c28
make-one.co 76.90.211.164 - - [16/Mar/2011:19:33:01 --0700] "GET /contact-subscribe/?visual-editor=true HTTP/1.1" 500 37690 "-" "-" evClw0gKIkkAAHcN3kEAAAAJ "-" /20110316/20110316-1933/20110316-193301-evClw0gKIkkAAHcN3kEAAAAJ 0 2246 md5:0373ad735f3029bb532e22f835236ee5
make-one.co 76.90.211.164 - - [16/Mar/2011:19:37:08 --0700] "GET /contact-subscribe/?visual-editor=true HTTP/1.1" 500 37659 "-" "-" iaZmnEgKIkkAAGcbZ6AAAAAA "-" /20110316/20110316-1937/20110316-193708-iaZmnEgKIkkAAGcbZ6AAAAAA 0 2221 md5:015d8f335f581528770ee310140b52e5


Top
 Profile  
 
 Post subject: Re: which rules are triggering?
Unread postPosted: Thu Mar 17, 2011 8:08 am 
Offline
Forum Regular
Forum Regular

Joined: Mon Apr 10, 2006 12:55 pm
Posts: 669
You're looking at the Apache logs. By default, full modsec logs are kept in /var/asl/data/audit and your Apache logs tell you what file to look at. So
Quote:
www.smallgod.net 76.14.57.52 - - [16/Mar/2011:19:28:39 --0700] "GET /server-info/ HTTP/1.1" 404 65113 "-" "-" a09nJkgKIkkAAHcHtyMAAAAG "-" /20110316/20110316-1928/20110316-192839-a09nJkgKIkkAAHcHtyMAAAAG 0 2623285 md5:97422f5878bbf22bff3c8064c93883e0

means your event was logged in
/var/asl/data/audit/20110316/20110316-1928/20110316-192839-a09nJkgKIkkAAHcHtyMAAAAG

Honestly, this is the hard way to do it. The ASL panel (https://<your ip here>:30000) is the easy way since it shows you all events and gives you one click access to see logs (by domain!) and to report false positives

_________________
"Its not a mac. I run linux... I'm actually cool." - scott


Top
 Profile  
 
 Post subject: Re: which rules are triggering?
Unread postPosted: Thu Mar 17, 2011 1:57 pm 
Offline
Forum User
Forum User

Joined: Sat Jan 20, 2007 6:57 pm
Posts: 83
Is there a free version of the ASL panel?


Top
 Profile  
 
 Post subject: Re: which rules are triggering?
Unread postPosted: Thu Mar 17, 2011 2:18 pm 
Offline
Forum Regular
Forum Regular

Joined: Mon Apr 10, 2006 12:55 pm
Posts: 669
Gah. Forgot these were free rules. I don't think there is.

At any rate you still have the physical logs

_________________
"Its not a mac. I run linux... I'm actually cool." - scott


Top
 Profile  
 
 Post subject: Re: which rules are triggering?
Unread postPosted: Thu Mar 17, 2011 3:14 pm 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin

Joined: Wed Dec 31, 1969 8:00 pm
Posts: 7776
Location: earth
Theres a free 30 day trial


Top
 Profile  
 
 Post subject: Re: which rules are triggering?
Unread postPosted: Thu Mar 17, 2011 3:27 pm 
Offline
Forum User
Forum User

Joined: Sat Jan 20, 2007 6:57 pm
Posts: 83
hmmm... :wink:


Top
 Profile  
 
 Post subject: Re: which rules are triggering?
Unread postPosted: Thu Mar 17, 2011 9:32 pm 
Offline
Forum User
Forum User

Joined: Sat Jan 20, 2007 6:57 pm
Posts: 83
How do I add a 30 day trial to my profile. I tried both Google Checkout and PayPal but am unable to add a subscription.


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 7 posts ] 

» Feed - Atomicorp

All times are UTC - 5 hours [ DST ]


Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group