I have looked around on the net and have seen many common answers for this , however, none of them are working.
I am trying to use this to ignore whenever our scans kick off in the morning.
SecRule REMOTE_HOST "@ipmatch 99.123.33.87" "id:90000009,phase:1,t:none,allow,nolog,ctl:ruleRemovebyID=.*;"
Anyone know what the problem might be?
Best Answer
Several problems:
REMOTE_HOST is a name not an IP address. You want REMOTE_ADDR.
"ctl:ruleRemovebyID=.*" is not valid syntax and, even if it was, should not be necessary (though see point 4 below).
Don't need the semi-colon at the end.
"Allow" is ignored in DetectionOnly mode, which I think is counter intuitive and can lead to a lot of false detections if you need to switch to this mode for some reason. So I always add "ctl:ruleEngine=On" to any "allow" rules I write to force this rule to also work even when in that mode.
Final correct versioning your rule is therefore: