[mod-security-users] GeoIP match rule, problem
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
[mod-security-users] GeoIP match rule, problem
|
From: Yi Li <yi...@gm...> - 2009-09-30 21:31:22
|
hi, wish someone could give me a help here.
I want to write a rule that block http traffic whose source IP is from any
country other than US.
I can list all country code and use a @within operator, which actually
works.
but i want to find a better way, so I try to negate @within then it fails.
here is what I did:
# Specify GeoIP datafeed
SecGeoLookupDb /etc/httpd/conf/modsecurity/GeoIP-106_20090512.dat
# GeoIP blocking rule, including complete country codes
SecRule REMOTE_ADDR @geoLookup \
"phase:1,chain,drop,ctl:ruleEngine=DetectionOnly,ctl:auditEngine=On,msg:'banned
country code Geo-IP',logdata:'client ip:
%{REMOTE_ADDR},%{GEO:COUNTRY_CODE}'"
SecRule GEO:COUNTRY_CODE "!@within US"
SecRule REMOTE_ADDR "@rx ^10\.128\.80\.10$" \
"phase:1,redirect:http://www.yahoo.com
,ctl:ruleEngine=On,ctl:auditEngine=Rele
vantOnly,msg:'banned IP',logdata:'client ip: %{REMOTE_ADDR},%{REMOTE_ADDR}'"
my test case:
1. connect to the web server from an internal IP 10.128.x.x.
2. the negate rule never triggers
i checked the GeoIP database, the address '10.128.x.x' does not match any
country IP so the returned geo coutry code should be a blank string, which
should trigger the SecRule GEO:COUNTRY_CODE "!@within US".
any thoughts would be appreciated.
another related questions is that whether there is any tool which allows me
to generate http traffics but I can manipulate the source IP of these http
requests.
thanks in advance.
|
