On Fri, Sep 13, 2013 at 1:08 AM, Macks, Aaron <amacks@harvardbusiness.org> wrote:
I'm in the process of setting up mod_security for the first time, and am trying to whitelist some internal IP addresses using the MODSEC_ENABLE=Off environmental variable.

Hi Aaron,

In ModSecurity v2.x you should use the ctl action to whitelist internal IP addresses, e.g.:

SecRule REMOTE_ADDR "^10.0.0.2$" "phase:1,nolog,id:1,allow,ctl:ruleEngine=Off,ctl:auditEngine=Off"

FWIW you could also use the ipMatch operator for more flexibility in defining ranges.

--
 - Josh

 
 I'm currently running in detection-only mode, but the modsec audit log is still recording hits, with the expected errors, where the modsec_enable value is "off"

Is this the expected behavior, will it continue to monitor these packets and just not block them, or have I not implemented the environment var properly?  I can verify that the value is getting the OFF value where appropriate (i set it to a header, and see if in the audit logs), and that is happening the first thing in the big <ifmodule mod_security2> block

thanks
A
--
Aaron Macks
Systems Architect

Harvard Business Publishing
300 North Beacon St.    |   Watertown, MA 02472
(617) 783-7461                |   Fax: (617) 783-7467


------------------------------------------------------------------------------
How ServiceNow helps IT people transform IT departments:
1. Consolidate legacy IT systems to a single system of record for IT
2. Standardize and globalize service processes across IT
3. Implement zero-touch automation to replace manual, redundant tasks
http://pubads.g.doubleclick.net/gampad/clk?id=51271111&iu=/4140/ostg.clktrk
_______________________________________________
mod-security-users mailing list
mod-security-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/