I recommend the use of either the @ipMatch or @ipMatchFromFile operators when inspecting REMOTE_ADDR variable data. 

Ryan Barnett

Lead Security Researcher, SpiderLabs

 

Trustwave | SMART SECURITY ON DEMAND

www.trustwave.com


On Oct 23, 2013, at 2:04 PM, "Jason Sajdak" <jsajdak@acumium.com> wrote:

Or you can use an external file:

SecRule REMOTE_ADDR "@pmFromFile modsecurity_nolog.data" "pass,nolog,id:90020,ctl:auditEngine=Off"

(I'm only turning off logging, not the ruleEngine)

the modsecurity_nolog.data file exists in the same directory as the file containing this directive and contains a new line with each IP.
e.g.

192.168.2.4
192.168.2.5
8.8.8.8

My file contains over 160 lines.


J


On Wed, Oct 23, 2013 at 12:21 PM, Macks, Aaron <amacks@harvardbusiness.org> wrote:
I did that with a rule like this:

SecRule REMOTE_ADDR "^192.168" "phase:1,nolog,id:1,allow,ctl:ruleEngine=Off,ctl:auditEngine=Off"

set the proper IP address in the regex and it should ignore it 


A

On Oct 23, 2013, at 11:40 AM, Darvin Rivera Aguilar <darvin@reduc.edu.cu> wrote:


I am running mod_security on Apache webserver and need to know how I can
create a whitelist by IP.

Greetings.
Darvin.,

------------------------------------------------------------------------------
October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from
the latest Intel processors and coprocessors. See abstracts and register >
http://pubads.g.doubleclick.net/gampad/clk?id=60135991&iu=/4140/ostg.clktrk
_______________________________________________
mod-security-users mailing list
mod-security-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/

--
Aaron Macks
Systems Architect

Harvard Business Publishing
300 North Beacon St.    |   Watertown, MA 02472
(617) 783-7461                |   Fax: (617) 783-7467


------------------------------------------------------------------------------
October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from
the latest Intel processors and coprocessors. See abstracts and register >
http://pubads.g.doubleclick.net/gampad/clk?id=60135991&iu=/4140/ostg.clktrk
_______________________________________________
mod-security-users mailing list
mod-security-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/


------------------------------------------------------------------------------
October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from
the latest Intel processors and coprocessors. See abstracts and register >
http://pubads.g.doubleclick.net/gampad/clk?id=60135991&iu=/4140/ostg.clktrk
_______________________________________________
mod-security-users mailing list
mod-security-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/



This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.