Hi Dan,
The apache log is: [Tue Sep 25 11:03:50 2012] [error] [client 192.168.21.18] ModSecurity: Access denied with code 403 (phase 2). Pattern match "(?i:(?:union\\\\s*?(?:all|distinct|[(!@]*?)?\\\\s*?[([]*?\\\\s*?select)|(?:\\\\w+\\\\s+like\\\\s+[\\"'`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98])|(?:like\\\\s*?[\\"'`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98]\\\\%)|(?:[\\"'`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98]\\\\s*?like\\\\W*?[\\"'`\\xc2\\xb4\\xe2 ..." at REQUEST_COOKIES:__utmz. [file "/etc/httpd/conf.d/modsecurity/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "235"] [id "981245"] [msg "Detects basic SQL authentication bypass attempts 2/3"] [data "\\xc2\\xba49 d"] [severity "CRITICAL"] [tag "WEB_ATTACK/SQLI"] [hostname "www.mysite.com"] [uri "/sites/all/themes/mysite/img/btlai.jpg"] [unique_id "UGG5xn8AAAEAABzuFRgAAAAS"] [Tue Sep 25 11:03:50 2012] [error] [client 192.168.21.18] ModSecurity: Access denied with code 403 (phase 2). Pattern match "(?i:(?:union\\\\s*?(?:all|distinct|[(!@]*?)?\\\\s*?[([]*?\\\\s*?select)|(?:\\\\w+\\\\s+like\\\\s+[\\"'`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98])|(?:like\\\\s*?[\\"'`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98]\\\\%)|(?:[\\"'`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98]\\\\s*?like\\\\W*?[\\"'`\\xc2\\xb4\\xe2 ..." at REQUEST_COOKIES:__utmz. [file "/etc/httpd/conf.d/modsecurity/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "235"] [id "981245"] [msg "Detects basic SQL authentication bypass attempts 2/3"] [data "\\xc2\\xba49 d"] [severity "CRITICAL"] [tag "WEB_ATTACK/SQLI"] [hostname "www.mysite.com"] [uri "/sites/all/themes/mysite/img/logo-brasil.jpg"] [unique_id "UGG5xn8AAAEAAByF90UAAAAP"] thanks!! On Tue, Sep 25, 2012 at 11:08 AM, dan (ddp) <[email protected]> wrote: > On Tue, Sep 25, 2012 at 10:04 AM, Leonardo Bacha Abrantes > <[email protected]> wrote: > > Guys, > > > > I created a rule and inserted it into local_rules.xml, but it is not > > working. > > > > <group name="web,accesslog,"> > > <rule id="100201" level="5"> > > <if_sid>31100</if_sid> #I also tried to put the specific > number > > of rule (30119, 30118,etc.) > > <match>^client 192.168.21.18</match> > > <options>no_email_alert</options> > > </rule> > > </group> > > > > what is wrong on it ? > > > > thanks! > > > > Your log sample didn't come through, or I missed it. Can you resend? > > > > > > > On Mon, Sep 24, 2012 at 9:13 AM, Leonardo Bacha Abrantes > > <[email protected]> wrote: > >> > >> yes! exactly this! :) > >> > >> > >> > >> > >> > >> On Sun, Sep 23, 2012 at 11:30 AM, JB <[email protected]> wrote: > >>> > >>> Do you mean NOT to trigger alerts when the "Location" is > >>> 'your.reverse.proxy.ip -> /var/log/httpd/access_log'? > >>> > >>> > >>> On Friday, September 21, 2012 10:58:17 AM UTC-7, Leonardo Bacha > Abrantes > >>> wrote: > >>>> > >>>> Hey guys! > >>>> > >>>> I have a machine working a reverse proxy that redirect requests to > >>>> another machine which is my webserver and am receiving a lot of > alerts of my > >>>> webserver that has the ip of my reverse proxy. > >>>> I don't want to receive alerts of my webserver that has the ip of my > >>>> reverse proxy. > >>>> > >>>> I found a rule below to ignore any alert but how can I specify to > ignore > >>>> alerts only in access.log and error.log from reverse proxy ? > >>>> > >>>> <rule id="100123" level="0"> > >>>> <if_level>8</if_level> > >>>> <srcip>Ip of my reverse proxy</srcip> > >>>> <description>Ignoring any alert above level 8 that has MYIP > >>>> decoded.</description> > >>>> <rule> > >>>> > >>>> many thanks! > >>>> > >>>> > >>>> > >> > > >
