Re: [mod-security-users] Is possible to block mac addresses with modsec?
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] Is possible to block mac addresses with modsec?
|
From: Sergio <se...@gm...> - 2010-09-18 15:13:56
|
Thank you Ryan, actually I already have my ownn @rbl, but I was looking for something that could block mac addresses because spoofed IPs always uses the same mac. Seen an excerpt of the firewall log, the SRC IP changes but the MAC is the same. The DST IP has been masked for security reasons but the real one is not a LAN IP: Sep 18 03:19:29 server: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=aa:00:ad:5f:07:01:00:1d:71:99:63:40:08:00 SRC=209.212.145.25 DST=192.168.0.26 LEN=40 TOS=0x00 PREC=0x00 TTL=116 ID=256 DF PROTO=TCP SPT=12200 DPT=27977 WINDOW=8192 RES=0x00 SYN URGP=0 Sep 18 03:31:56 server: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=aa:00:ad:5f:07:01:00:1d:71:99:63:40:08:00 SRC=109.162.130.71 DST=192.168.0.26 LEN=60 TOS=0x00 PREC=0x00 TTL=49 ID=18792 DF PROTO=TCP SPT=3343 DPT=23 WINDOW=5808 RES=0x00 SYN URGP=0 Sep 18 03:38:58 server: Firewall: *UDP_IN Blocked* IN=eth0 OUT= MAC=aa:00:ad:5f:07:01:00:1d:71:99:63:40:08:00 SRC=60.2.63.226 DST=192.168.0.27 LEN=435 TOS=0x00 PREC=0x00 TTL=48 ID=0 DF PROTO=UDP SPT=5065 DPT=5060 LEN=415 Sep 18 03:47:50 server: Firewall: *UDP_IN Blocked* IN=eth0 OUT= MAC=aa:00:ad:5f:07:01:00:1d:71:99:63:40:08:00 SRC=219.149.194.245 DST=192.168.0.26 LEN=404 TOS=0x00 PREC=0x00 TTL=31 ID=17433 PROTO=UDP SPT=1060 DPT=1434 LEN=384 Could this be done? Best Regards, -- Sergio Cabrera On Sat, Sep 18, 2010 at 6:53 AM, Ryan Barnett <RBa...@tr...>wrote: > Do you mean IP addresses? MACs are only available on LANs. If you want to > check a remote blacklist and block IPs then use the @rbl operator. Check out > this recent blog post -- > > http://blog.modsecurity.org/2010/09/advanced-topic-of-the-week-real-time-blacklist-lookups.html > > > Sent from my iPhone > > On Sep 18, 2010, at 12:32 AM, Sergio <se...@gm...> wrote: > > > > > Hi all, > > sorry if this has been asked before. > > > > Is there a rule or command that could be used to check and block MAC > addresses that could be in a black list? > > > > Regards, > > > > -- > > Sergio Cabrera > > > > > ------------------------------------------------------------------------------ > > Start uncovering the many advantages of virtual appliances > > and start using them to simplify application deployment and > > accelerate your shift to cloud computing. > > http://p.sf.net/sfu/novell-sfdev2dev > > _______________________________________________ > > mod-security-users mailing list > > mod...@li... > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > Commercial ModSecurity Appliances, Rule Sets and Support: > > http://www.modsecurity.org/breach/index.html > > |
