[mod-security-users] can not get 'skipAfter' work
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
[mod-security-users] can not get 'skipAfter' work
|
From: Yi Li <yi...@gm...> - 2011-06-10 21:56:24
|
i tried to set up rules so that in some circumstances, some rules could be
bypassed.
I used the 'skipAfter' directive; it seems that the 'skipAfter' never
triggers and therefore can not bypass the rules which should be bypassed.
any help would be appreciated.
Details:
the rules are below:
*SecRule REMOTE_ADDR "^10\.128\.76\.50$"
"skipAfter:AFTER_GEO_IP_CHECK,allow,msg:'skip geoip'"*
*
*
*SecMarker GEO_IP_CHECK*
*SecRule REMOTE_ADDR "^10\.128\.76\.50$" "phase:1,drop,msg:'ip
block',logdata:'%{PATH_INFO}'"*
*SecRule REMOTE_ADDR @geoLookup \*
*"phase:1,chain,log,ctl:ruleEngine=On,ctl:auditEngine=RelevantOnly,msg:'non-us-ca
country code logged Geo-IP',logdata:'client ip:
%{REMOTE_ADDR},%{GEO:COUNTRY_CODE}'"*
*
*
*SecRule GEO:COUNTRY_CODE "!@within US CA"*
*
*
*SecMarker AFTER_GEO_IP_CHECK*
*
*
*## end of rules*
*
*
*
the problem:
as the rules above, when a client (10.128.76.50) connects, the 'skipAfter'
should skip the rule block in the 'SecMarker';
In reality, the request is always caught by the first rule inside
'SecMarker'.
questions:
0. the modsecurity i use is 2.5.9; i believe 'skipAfter','secmarker' are
both supported by this version, correct?
1. other than using 'skipAfter', 'secmarker', are there other options that i
can have some url to bypass a block of rules?
2. if i want to debug why the 'skipAfter' never triggers, how can i have it
produce detailed debug info?
i increase the debuglevel to 9 before the 'skipAfter' rule, but it does not
have any log related to 'skipAfter'
*
*
*
On Wed, May 25, 2011 at 2:37 AM, Christian Bockermann <ch...@jw...>wrote:
> Hi Li,
>
> thanks for restating your objectives. That's much clearer, now.
>
> Am 25.05.2011 um 02:05 schrieb Yi Li:
>
> > Ryan, phoenix, thank you to both for the comments.
> >
> > it seems I confuse people when I use the sample inspection rule 'block
> 10.128.76.50' to illustrate what I want to achieve. sorry for the
> confusion.
> >
> > let me explain again what i would like to achieve:
> >
> > 1. currently i already have an working rule based on country code from
> GeoIP. now I want to fine-tune the rule so the inspection is applied only
> to 2 specific web pages (currently it inspects requests to any of the web
> pages protected by modsecurity)..
> >
> > 2. still with the country code blocking rule, I want to allow request
> from a certain IP range bypass the country code blocking rule.
>
> A while back, ModSecurity introduced "markers", which can be used to jump
> around within
> the rulesets. Following the structure of your objectives, this might be a
> straight forward
> approach by using the markers.
> In the following I put your Geo IP rule into up a block surrounded by a
> GEO_IP_CHECK and a
> AFTER_GEO_IP_CHECK marker. In the beginning I set up a few rules to skip
> this block of
> Geo IP checks for the objectives you defined.
>
>
> SecDefaultAction "phase:1,pass"
>
> # Objective #1: Skip the GeoIP check rules for the specific URLs
> #
> SecRule REQUEST_URI "@eq /your/url1"
> skipAfter:AFTER_GEO_IP_CHECK,log,msg:'Skipping GeoIP check for URI
> %{REQUEST_URI}'
> SecRule REQUEST_URI "@eq /your/url2"
> skipAfter:AFTER_GEO_IP_CHECK,log,msg:'Skipping GeoIP check for URI
> %{REQUEST_URI}'
>
> # Objective #2: Bypass the GeoIP check for specific remote addresses
> #
> SecRule REMOTE_ADDR "@rx ^192\.168\.30\.\d+$"
> skipAfter:AFTER_GEO_IP_CHECK,log,msg:'Skipping GeoIP check for local
> network'
>
>
> # this marks the beginning of the GEO_IP_CHECK
> #
> SecMarker GEO_IP_CHECK
>
> # put your GEO IP lookup rule into this block:
> #
> SecRule REMOTE_ADDR @geoLookup \
>
> "phase:1,chain,drop,ctl:ruleEngine=DetectionOnly,ctl:auditEngine=On,msg:'banned
> country code Geo-IP',logdata:'client ip:%{REMOTE_ADDR},%{GEO:COUNTRY_CODE}'"
> SecRule GEO:COUNTRY_CODE "!@within US"
>
>
> # this marks the end of the GEO_IP_CHECK
> SecMarker AFTER_GEO_IP_CHECK
>
>
> So, the basic idea is to have a block of checks, which is marked with
> GEO_IP_CHECK and
> AFTER_GEO_IP_CHECK and write "exception rules" at the beginning, which skip
> this block
> for specific URLs and IP addresses.
>
> Note, that the GEO_IP_CHECK marker at the beginning is not used, I just put
> it there
> for visualizing where the start of the Geo IP block is.
>
>
> Best regards,
> Chris
|