Re: [mod-security-users] GeoIP match rule, problem
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] GeoIP match rule, problem
|
From: Yi Li <yi...@gm...> - 2009-10-01 00:46:22
|
thanks.
I may want to allow up to 20 countries finally. using within to block over
140 country code does not sound like a good idea so i am looking at negate
@winthin.
any easy way of doing so?
On Wed, Sep 30, 2009 at 6:41 PM, Brian Rectanus
<Bri...@br...>wrote:
> Yi Li wrote:
>
>> hi, wish someone could give me a help here.
>>
>> I want to write a rule that block http traffic whose source IP is from
>> any country other than US.
>>
>> I can list all country code and use a @within operator, which actually
>> works.
>>
>> but i want to find a better way, so I try to negate @within then it fails.
>>
>> here is what I did:
>>
>> # Specify GeoIP datafeed
>> SecGeoLookupDb /etc/httpd/conf/modsecurity/GeoIP-106_20090512.dat
>>
>>
>> # GeoIP blocking rule, including complete country codes
>> SecRule REMOTE_ADDR @geoLookup \
>>
>> "phase:1,chain,drop,ctl:ruleEngine=DetectionOnly,ctl:auditEngine=On,msg:'banned
>> country code Geo-IP',logdata:'client ip:
>> %{REMOTE_ADDR},%{GEO:COUNTRY_CODE}'"
>>
>> SecRule GEO:COUNTRY_CODE "!@within US"
>>
>> SecRule REMOTE_ADDR "@rx ^10\.128\.80\.10$" \
>> "phase:1,redirect:http://www.yahoo.com
>> ,ctl:ruleEngine=On,ctl:auditEngine=Rele
>> vantOnly,msg:'banned IP',logdata:'client ip:
>> %{REMOTE_ADDR},%{REMOTE_ADDR}'"
>>
>>
>> my test case:
>>
>> 1. connect to the web server from an internal IP 10.128.x.x.
>> 2. the negate rule never triggers
>>
>> i checked the GeoIP database, the address '10.128.x.x' does not match
>> any country IP so the returned geo coutry code should be a blank string,
>> which should trigger the SecRule GEO:COUNTRY_CODE "!@within US".
>>
>>
>> any thoughts would be appreciated.
>>
>> another related questions is that whether there is any tool which allows
>> me to generate http traffics but I can manipulate the source IP of these
>> http requests.
>>
>> thanks in advance.
>>
>>
> This is actually documented as an example for GEO:
>
> SecRule GEO:COUNTRY_CODE "!@streq GB"
>
> Just change that to US?
>
> -B
>
> --
> Brian Rectanus
> Breach Security
>
|
