Re: [mod-security-users] GeoIP match rule, problem
Brought to you by:
victorhora,
zimmerletw
From: Yi Li <yi...@gm...> - 2009-10-01 00:46:22
|
thanks. I may want to allow up to 20 countries finally. using within to block over 140 country code does not sound like a good idea so i am looking at negate @winthin. any easy way of doing so? On Wed, Sep 30, 2009 at 6:41 PM, Brian Rectanus <Bri...@br...>wrote: > Yi Li wrote: > >> hi, wish someone could give me a help here. >> >> I want to write a rule that block http traffic whose source IP is from >> any country other than US. >> >> I can list all country code and use a @within operator, which actually >> works. >> >> but i want to find a better way, so I try to negate @within then it fails. >> >> here is what I did: >> >> # Specify GeoIP datafeed >> SecGeoLookupDb /etc/httpd/conf/modsecurity/GeoIP-106_20090512.dat >> >> >> # GeoIP blocking rule, including complete country codes >> SecRule REMOTE_ADDR @geoLookup \ >> >> "phase:1,chain,drop,ctl:ruleEngine=DetectionOnly,ctl:auditEngine=On,msg:'banned >> country code Geo-IP',logdata:'client ip: >> %{REMOTE_ADDR},%{GEO:COUNTRY_CODE}'" >> >> SecRule GEO:COUNTRY_CODE "!@within US" >> >> SecRule REMOTE_ADDR "@rx ^10\.128\.80\.10$" \ >> "phase:1,redirect:http://www.yahoo.com >> ,ctl:ruleEngine=On,ctl:auditEngine=Rele >> vantOnly,msg:'banned IP',logdata:'client ip: >> %{REMOTE_ADDR},%{REMOTE_ADDR}'" >> >> >> my test case: >> >> 1. connect to the web server from an internal IP 10.128.x.x. >> 2. the negate rule never triggers >> >> i checked the GeoIP database, the address '10.128.x.x' does not match >> any country IP so the returned geo coutry code should be a blank string, >> which should trigger the SecRule GEO:COUNTRY_CODE "!@within US". >> >> >> any thoughts would be appreciated. >> >> another related questions is that whether there is any tool which allows >> me to generate http traffics but I can manipulate the source IP of these >> http requests. >> >> thanks in advance. >> >> > This is actually documented as an example for GEO: > > SecRule GEO:COUNTRY_CODE "!@streq GB" > > Just change that to US? > > -B > > -- > Brian Rectanus > Breach Security > |