From: Sergio <secmas@gmail.com>
Reply-To: "mod-security-users@lists.sourceforge.net" <mod-security-users@lists.sourceforge.net>
Date: Tuesday, August 27, 2013 8:02 PM
To: "mod-security-users@lists.sourceforge.net" <mod-security-users@lists.sourceforge.net>
Subject: Re: [mod-security-users] Does REMOTE_ADDR directive can handle CIDR notation?

Thank you, Josh!

One more question, is it possible to check the @ipMatch with a file filled with the CIDR IPs that I want to block?

https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#wiki-ipMatchFromFile

-Ryan


Something like this?

SecRule REMOTE_ADDR "@ipMatch IPs-blacklist.txt" "phase:1,id:1,block,msg:'
Blocked request due to source IP'"

Right now I am using my rule:
SecRule REMOTE_ADDR "!@pmFromFile IPs-whitelist.txt" \
"chain,deny,nolog,id:199,rev:2,msg:'IP Match: IP is on My IPs Blacklist',severity:'3'"
SecRule REMOTE_ADDR "@pmFromFile IPs-blacklist.txt"

But I need to make it more flexible, so I can use CIDRs and that will be great.

Regards,

Sergio


On Tue, Aug 27, 2013 at 1:28 PM, Josh Amishav-Zlatin <jamuse@owasp.org> wrote:
On Tue, Aug 27, 2013 at 10:14 PM, Sergio <secmas@gmail.com> wrote:
Hi all,
I have a doubt, Does the REMOTE_ADDR can use CIDR notation or is it only for exact matches as the example in the reference manual?

Example:
SecRule REMOTE_ADDR "@ipMatch 192.168.1.101" "id:35"

I will like to use a rule that can block a range of /16's IPs.


Hi Sergio,

The REMOTE_ADDR variable simply holds the remote address of the client. The ipMatch operator does support CIDR notation. For example the following rule blocks a /16 address range:

SecRule REMOTE_ADDR "@ipMatch 10.0.0.0/16" "phase:1,id:1,block,msg:'Blocked request due to source IP'"
 
--
 - Josh

Thanks in advace.

Regards,

Sergio

------------------------------------------------------------------------------
Learn the latest--Visual Studio 2012, SharePoint 2013, SQL 2012, more!
Discover the easy way to master current and previous Microsoft technologies
and advance your career. Get an incredible 1,500+ hours of step-by-step
tutorial videos with LearnDevNow. Subscribe today and save!
http://pubads.g.doubleclick.net/gampad/clk?id=58040911&iu=/4140/ostg.clktrk
_______________________________________________
mod-security-users mailing list
mod-security-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/



------------------------------------------------------------------------------
Learn the latest--Visual Studio 2012, SharePoint 2013, SQL 2012, more!
Discover the easy way to master current and previous Microsoft technologies
and advance your career. Get an incredible 1,500+ hours of step-by-step
tutorial videos with LearnDevNow. Subscribe today and save!
http://pubads.g.doubleclick.net/gampad/clk?id=58040911&iu=/4140/ostg.clktrk
_______________________________________________
mod-security-users mailing list
mod-security-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/


------------------------------------------------------------------------------ Learn the latest--Visual Studio 2012, SharePoint 2013, SQL 2012, more! Discover the easy way to master current and previous Microsoft technologies and advance your career. Get an incredible 1,500+ hours of step-by-step tutorial videos with LearnDevNow. Subscribe today and save! http://pubads.g.doubleclick.net/gampad/clk?id=58040911&iu=/4140/ostg.clktrk_______________________________________________ mod-security-users mailing list mod-security-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/mod-security-users Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: http://www.modsecurity.org/projects/commercial/rules/ http://www.modsecurity.org/projects/commercial/support/



This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.