Re: [mod-security-users] Dynamic Variable Names
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] Dynamic Variable Names
|
From: Ryan B. <Rya...@Br...> - 2007-11-19 16:51:27
|
________________________________
From: Owens, Mike, DoIT [mailto:Mik...@st...]=20
Sent: Monday, November 19, 2007 11:42 AM
To: Ryan Barnett; mod...@li...
Subject: RE: [mod-security-users] Dynamic Variable Names
=20
I take it then that if I create an IP collection using REMOTE_ADDR as
the key, that means there is a set of variables associated w/each IP?
Such that if I set variable ip.rbl, that applies only to the IP address
of ip.key? And a second ip.rbl for a different IP address would be a
distinct value?
[Ryan Barnett] That is correct, once you call up initcol and you use the
REMOTE_ADDR as the key, then anytime you access the "ip" collection
variables, it will only be associated with the current REMOTE_ADDR for
the current transaction.
The documentation implies this, but I'd just like to be sure.
[Ryan Barnett] We will try and make this clearer by posting some
use-case examples on the Mod website.
--
Mike Owens <mik...@st...>
-----Original Message-----
From: Ryan Barnett [mailto:Rya...@Br...]
Sent: Mon 11/19/2007 07:29
To: Owens, Mike, DoIT; mod...@li...
Subject: RE: [mod-security-users] Dynamic Variable Names
Your example rules were pretty close to your desired goals. I fixed
your expirevar setting in the last rule it had "user.rbl." instead of
"ip.rbl.". Also, since you are already adding the rbl variable to an
IP-based collection, you don't need to attempt to do macro expansion to
include the REMOTE_ADDR variable data in the collection name. Keep in
mind, any data you set/update in this collection is already going to be
matched to this source IP.=20
Something else to consider - just in the same way that you want to cache
a blocked client so that you don't have to keep doing a RBL check, you
might want to do the same type of caching for clients that don't match
the RBL J This way, you only check someone once when they first come
in. If they are on the blocklist, then you will just deny them for 3
hours. If they are not on the blocklist, then you will skip the @rbl
check for 3 hours.
Here is an updated rule set that I just tested and it seems to work fine
-
# initialize a collection of IP addresses
SecAction initcol:ip=3D%{REMOTE_ADDR},nolog,pass
# if address has been flagged as in a blocked list, block 'em
SecRule IP:rbl "@eq 1" \
"log,deny,status:403,msg:'%{REMOTE_ADDR} in blocked
list',severity:'2',id:'50'"
# if address is NOT in a blocked list, skip these rbl checks
SecRule IP:no_rbl "@eq 1" \
"nolog,pass,skip:2"
# if address is a blocked list, set a flag for 3 hours
SecRule REMOTE_ADDR "@rbl sc.surbl.org" \
"log,deny,status:403,msg:'%{REMOTE_ADDR} in blocked
list',setvar:ip.rbl=3D1,expirevar:ip.rbl=3D10800,severity:'2',id:'60'"
# if address is not blocked, set a flag for 3 hours to pass
SecRule REMOTE_ADDR "!@rbl sc.surbl.org" \
=20
"nolog,pass,setvar:ip.no_rbl=3D1,expirevar:ip.no_rbl=3D10800,severity:'2'=
,id
:'70'"
Hope this helps.
--
Ryan C. Barnett
ModSecurity Community Manager
Breach Security: Director of Training
Web Application Security Consortium (WASC) Member
CIS Apache Benchmark Project Lead
SANS Instructor, GCIA, GCFA, GCIH, GSNA, GCUX, GSEC
Author: Preventing Web Attacks with Apache
________________________________
From: mod...@li...
[mailto:mod...@li...] On Behalf Of
Owens, Mike, DoIT
Sent: Sunday, November 18, 2007 10:43 PM
To: mod...@li...
Subject: [mod-security-users] Dynamic Variable Names
Is there any way to create a variable name dynamically in the setvar
action? Something like this:
# initialize a collection of IP addresses
SecAction initcol:ip=3D%{REMOTE_ADDR},nolog
# if address has been flagged as in a blocked list, block 'em
SecRule IP:rbl_%{REMOTE_ADDR} "@eq 1" \
"log,deny,status:403,msg:'%{REMOTE_ADDR} in blocked
list',severity:'2',id:'50'"
# if address is a blocked list, set a flag for 3 hours
SecRule REMOTE_ADDR "@rbl sc.surbl.org" \
"log,deny,status:403,msg:'%{REMOTE_ADDR} in blocked
list',setvar:ip.rbl_%{REMOTE_ADDR}=3D1,expirevar:user.rbl_%{REMOTE_ADDR}=3D=
1
0800,severity:'2',id:'60'"
As this example attempts to demonstrate, what I want to do is cache an
IP I find in an RBL to avoid having to check it against the RBL again
for a certain amount of time.
--
Mike Owens <mik...@st...>
Confidentiality Notice: This e-mail, including all attachments is for
the sole use of the intended recipient(s) and may contain confidential
and privileged information. Any unauthorized review, use, disclosure or
distribution is prohibited unless specifically provided under the New
Mexico Inspection of Public Records Act. If you are not the intended
recipient, please contact the sender and destroy all copies of this
message. -- This email has been scanned by the Sybari - Antigen Email
System.
______________________________________________________________________
This inbound email has been scanned by the MessageLabs Email Security
System.
______________________________________________________________________
Confidentiality Notice: This e-mail, including all attachments is for
the sole use of the intended recipient(s) and may contain confidential
and privileged information. Any unauthorized review, use, disclosure or
distribution is prohibited unless specifically provided under the New
Mexico Inspection of Public Records Act. If you are not the intended
recipient, please contact the sender and destroy all copies of this
message. -- This email has been scanned by the Sybari - Antigen Email
System.=20
|
