Re: [mod-security-users] Help setting a file in a rule, how many definitions?
Brought to you by:
victorhora,
zimmerletw
From: <se...@gm...> - 2010-01-25 14:36:24
|
Faris, it seems that using @rbl could be an option to have thousands of IPs in a file, opposed to have them in memory like the @pmFromFile. If you don't mind, Would you tell me, where can I get more info on how to build the file to be used by the @rbl command? I mean the structure of the file and / or extension? I have tried to use the same .txt file that I was using with the @pmFromFile but it didn't work searching for any IP. Regards, Sergio On Jan 25, 2010 7:48am, Faris Raouf <ast...@ra...> wrote: > Sergio, > Using @rbl is excellent for looking up IPs, especially in conjunction with > rbldnsd. It uses minimal memory, and by using Bind on the local server to > cache responses from the rbldnsd server (which can be on the same box), it > is extremely quick. Let me know if you want some pointers. > Where @rbl falls down is as a way to do lookups of strings within a > string. > It can be used with domain names as opposed to Ips, but is not a > substitute > for @pmFromFile in many situations because your rules are probably looking > to see if domain.tld is mentioned in an arbitrary text string and that's > just not possible -- see my post on this topic in the other forum. > eg If I want to see if baddomain.tld is included in ... > "http://somedomain.tld/index.php?args=http://baddomain.tld/badscript.txt" > ... then @rbl cannot be used. > Mod_sec would need code to parse the string and somehow extract all > possible > domains from it, then do an @rbl lookup on *all* those domains. > This would be a killer feature though and something I badly need. It looks > like it would be trivial to implement in isolation but I'll bet it is > hugely > more complicated when taken in context. > Thinking about it, there would have to be an option not to lookup the > first > domain extracted, as that's likely to be a local one and there may be good > reasons to exclude that domain from lookups. > But I'm going off-topic. Sorry. > Faris. > -------------------------------------------- > From: Sergio [mailto:se...@gm...] > Sent: 25 January 2010 3:50 AM > To: Ivan Ristic > Cc: mod...@li... > Subject: Re: [mod-security-users] Help setting a file in a rule, how many > definitions? > Ivan, > looking other options I found that maybe using the @RBL will be better, > the > only thing is that I don't see any info about how it works. I mean, does > the > @RBL gets the black list and saves this in the server memory or this > function goes to the RBL site an does a search for the IP everytime an IP > connects to the server? > Regards, > Sergio > On Sun, Jan 24, 2010 at 11:56 AM, Ivan Ristic iva...@gm...> > wrote: > I can only suggest that you report the problem as a bug: > https://www.modsecurity.org/tracker/ > Don't forget to upload the 7500-line file that does not work because > it will be needed for debugging. > On Sun, Jan 24, 2010 at 5:18 PM, Sergio se...@gm...> wrote: > > Thank you Ivan for your input. > > > > But I have a problem with my rule: > > > > SecRule REMOTE_ADDR "@pmFromFile myfile.txt" > > > > I have set in myfile.txt about 4,000 item lines and everything went > fine, > > but then I increased this to 7,500 and then the rule didn't work. > > > > I am using this file to write there IPs that I want to check when > connected > > to my server and I was glad with the results but it seems that the file > has > > a limit. > > > > I have double checked that there are no white spaces nor duplicates but > the > > error continues. > > > > Just in case it helps, my server is CPanel with REHL 5.4 and 4GB of RAM. > > > > Once again, thank you for any input you can share with me. > > > > Regards, > > Sergio > > > > On Sun, Jan 24, 2010 at 10:01 AM, Ivan Ristic iva...@gm...> > wrote: > >> > >> On Sat, Jan 23, 2010 at 4:51 PM, Sergio se...@gm...> wrote: > >> > Hi to all, > >> > I am new on this list and I want to say hi to everyone. > >> > > >> > Sorry if this question has been posted before, but my first time here > >> > and I > >> > don't know where to search on the mailing list. > >> > > >> > Well, I have this issue, I am setting a new rule were I am using > a .TXT > >> > file > >> > to input some definitions like domain names or IPs. So, I just want > to > >> > know, > >> > how many lines a file of this type can handle? > >> > >> I am assuming you've encountered a problem with a large list of > >> phrases? I've just looked into the source code of ModSecurity and > >> there's no obvious limit there. I did find something else, though: > >> > >> - Whitespace around phrase lines is not stripped. Thus, stray > >> whitespace after patterns (which is difficult to spot) may cause > >> issues. > >> > >> - The code currently strips only one LF from the end of each line, but > >> leaves CR (if present). That too may cause issues (eg, if you're > >> editing your files on Windows). > >> > >> FYI, I've opened an issue for the above problems: > >> https://www.modsecurity.org/tracker/browse/MODSEC-126 > >> > >> -- > >> Ivan Ristic > >> ModSecurity Handbook [https://www.feistyduck.com] > >> SSL Labs [https://www.ssllabs.com/ssldb/] > > > > > -- > Ivan Ristic > ModSecurity Handbook [https://www.feistyduck.com] > SSL Labs [https://www.ssllabs.com/ssldb/] |