29 Jan 18:01
RBL Lookup File - ip.pag help!
OSSEC junkie <ossec.junkie <at> gmail.com>
2010-01-29 17:01:51 GMT
2010-01-29 17:01:51 GMT
All:
I am using the RBL lookup and the ip.pag file is huge. I thought this
would be recycled nightly but I guess not. Any ideas or insight on
how to shrink would be great. I could script the file to be deleted
nightly but just wanted to make sure there isn't something I need to
be doing but am not..
My current rule set being used is:
SecRule IP:PREVIOUS_RBL_CHECK "@eq 1"
"phase:1,t:none,pass,nolog,skipAfter:END_RBL_LOOKUP"
SecRule REMOTE_ADDR "@rbl sbl-xbl.spamhaus.org
"
"phase:1,t:none,log,auditlog,msg:'RBL Match for SPAM
Source',tag:'AUTOMATION/MALICIOUS',severity:'2',setvar:'tx.msg=%{rule
.msg}',setvar:tx.automation_score=+1,logdata:'%{TX.0}',setvar:tx.%{rule.id
}-AUTOMATION/MALICIOUS-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var},setvar:ip.s
pammer=1,expirevar:ip.spammer=86400,setvar:ip.previous_rbl_check=1,expirevar:ip.previous_rbl_check=86400,skipAfter:END_RBL_CHECK"
SecAction "phase:1.t:none,nolog,pass,setvar:ip.previous_rbl_check=1,expirevar:ip.previous_rbl_check=86400"
SecMarker END_RBL_LOOKUP
SecRule IP:SPAMMER "@eq 1" "phase:1,t:none,log,auditlog,msg:'Request
from Known SPAM Source (Previous
RBLMatch)',tag:'AUTOMATION/MALICIOUS',severity:'2',setvar:'tx.msg=%{
rule.msg}',setvar:tx.automation_score=+1,logdata:'%{TX.0}',setvar:tx.%{rule.id
}-AUTOMATION/MALICIOUS-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}"
SecMarker END_RBL_CHECK
Any ideas as to why the log file is so huge? The expirevar option is
in the configuration but no luck. I will ultimately be forced to
delete the file nightly...or is that the ideal way to handle it?
------------------------------------------------------------------------------
The Planet: dedicated and managed hosting, cloud storage, colocation
Stay online with enterprise data centers and the best network in the business
Choose flexible plans and management services without long-term contracts
Personal 24x7 support from experience hosting pros just a phone call away.
http://p.sf.net/sfu/theplanet-com
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Appliances, Rule Sets and Support:
http://www.modsecurity.org/breach/index.html
RSS Feed