Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

mod_security - SecAuditLogRelevantStatus just not working

Discussion in 'Security' started by santrix, Aug 2, 2011.

  1. santrix

    santrix Well-Known Member

    Nov 30, 2008
    Likes Received:
    Trophy Points:
    I know this isn't really a cpanel issue, but I'm wondering if it is related to the flag I'm trying to use, not being recognised by the version of mod_security installed via easyapache...

    We are running apache 2.2, and compiled in mod_security using EA.

    I have these lines (in amongst other stuff) in /usr/local/apache/conf/modsec2.conf

    SecAuditEngine RelevantOnly
    SecAuditLogRelevantStatus "^(?:5|3|4(?!04))"
    SecAuditLog logs/modsec_audit.log 
    SecDefaultAction "phase:2,deny,log,status:406"
    The regex (which I understand needs to be within quotes) should only allow status codes starting with 3, 4, or 5 and exclude 404 specifically (I'm not sure why the backreferences need to be excluded in the regex)

    The problem is that the modsec_audit.log file is being filled up with HTTP/1.1 200 OK entries as though the regex wasn't there. I have tried to fix this on and off for months... anyone got any clues?

    The SecAuditEngine and SecAuditLogRelevantStatus directoves are not included anywhere else in the modsec conf files...

Share This Page