Re: [mod-security-users] GeoIP match rule, problem
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] GeoIP match rule, problem
|
From: Brian R. <Bri...@br...> - 2009-09-30 22:41:52
|
Yi Li wrote:
> hi, wish someone could give me a help here.
>
> I want to write a rule that block http traffic whose source IP is from
> any country other than US.
>
> I can list all country code and use a @within operator, which actually
> works.
>
> but i want to find a better way, so I try to negate @within then it fails.
>
> here is what I did:
>
> # Specify GeoIP datafeed
> SecGeoLookupDb /etc/httpd/conf/modsecurity/GeoIP-106_20090512.dat
>
>
> # GeoIP blocking rule, including complete country codes
> SecRule REMOTE_ADDR @geoLookup \
> "phase:1,chain,drop,ctl:ruleEngine=DetectionOnly,ctl:auditEngine=On,msg:'banned
> country code Geo-IP',logdata:'client ip:
> %{REMOTE_ADDR},%{GEO:COUNTRY_CODE}'"
>
> SecRule GEO:COUNTRY_CODE "!@within US"
>
> SecRule REMOTE_ADDR "@rx ^10\.128\.80\.10$" \
> "phase:1,redirect:http://www.yahoo.com,ctl:ruleEngine=On,ctl:auditEngine=Rele
> vantOnly,msg:'banned IP',logdata:'client ip: %{REMOTE_ADDR},%{REMOTE_ADDR}'"
>
>
> my test case:
>
> 1. connect to the web server from an internal IP 10.128.x.x.
> 2. the negate rule never triggers
>
> i checked the GeoIP database, the address '10.128.x.x' does not match
> any country IP so the returned geo coutry code should be a blank string,
> which should trigger the SecRule GEO:COUNTRY_CODE "!@within US".
>
>
> any thoughts would be appreciated.
>
> another related questions is that whether there is any tool which allows
> me to generate http traffics but I can manipulate the source IP of these
> http requests.
>
> thanks in advance.
>
This is actually documented as an example for GEO:
SecRule GEO:COUNTRY_CODE "!@streq GB"
Just change that to US?
-B
--
Brian Rectanus
Breach Security
|
