Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

mod_security - SecAuditLogRelevantStatus just not working

Discussion in 'Security' started by santrix, Aug 2, 2011.

  1. santrix

    santrix Well-Known Member

    Joined:
    Nov 30, 2008
    Messages:
    223
    Likes Received:
    2
    Trophy Points:
    68
    I know this isn't really a cpanel issue, but I'm wondering if it is related to the flag I'm trying to use, not being recognised by the version of mod_security installed via easyapache...

    We are running apache 2.2, and compiled in mod_security using EA.

    I have these lines (in amongst other stuff) in /usr/local/apache/conf/modsec2.conf

    Code:
    SecAuditEngine RelevantOnly
    SecAuditLogRelevantStatus "^(?:5|3|4(?!04))"
    SecAuditLog logs/modsec_audit.log 
    SecDefaultAction "phase:2,deny,log,status:406"
    
    The regex (which I understand needs to be within quotes) should only allow status codes starting with 3, 4, or 5 and exclude 404 specifically (I'm not sure why the backreferences need to be excluded in the regex)

    The problem is that the modsec_audit.log file is being filled up with HTTP/1.1 200 OK entries as though the regex wasn't there. I have tried to fix this on and off for months... anyone got any clues?

    The SecAuditEngine and SecAuditLogRelevantStatus directoves are not included anywhere else in the modsec conf files...
     
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice