hi, wish someone could give me a help here.

I want to write a rule that block http traffic whose source IP is from any country other than US.

I can list all country code and use a @within operator, which actually works.

but i want to find a better way, so I try to negate @within then it fails.

here is what I did:

# Specify GeoIP datafeed
    SecGeoLookupDb /etc/httpd/conf/modsecurity/GeoIP-106_20090512.dat


# GeoIP blocking rule, including complete country codes
  SecRule REMOTE_ADDR @geoLookup \
  "phase:1,chain,drop,ctl:ruleEngine=DetectionOnly,ctl:auditEngine=On,msg:'banned country code Geo-IP',logdata:'client ip: %{REMOTE_ADDR},%{GEO:COUNTRY_CODE}'"

SecRule GEO:COUNTRY_CODE "!@within US"

   SecRule REMOTE_ADDR "@rx ^10\.128\.80\.10$" \
   "phase:1,redirect:http://www.yahoo.com,ctl:ruleEngine=On,ctl:auditEngine=Rele
vantOnly,msg:'banned IP',logdata:'client ip: %{REMOTE_ADDR},%{REMOTE_ADDR}'"


my test case:

  1. connect to the web server from an internal IP 10.128.x.x.
   2. the negate rule never triggers
 
i checked the GeoIP database, the address '10.128.x.x' does not match any country IP so the returned geo coutry code should be a blank string, which should trigger the SecRule GEO:COUNTRY_CODE "!@within US".


any thoughts would be appreciated.

another related questions is that whether there is any tool which allows me to generate http traffics but I can manipulate the source IP of these http requests.

thanks in advance.