[mod-security-users] can not get 'skipAfter' work
Brought to you by:
victorhora,
zimmerletw
From: Yi Li <yi...@gm...> - 2011-06-10 21:56:24
|
i tried to set up rules so that in some circumstances, some rules could be bypassed. I used the 'skipAfter' directive; it seems that the 'skipAfter' never triggers and therefore can not bypass the rules which should be bypassed. any help would be appreciated. Details: the rules are below: *SecRule REMOTE_ADDR "^10\.128\.76\.50$" "skipAfter:AFTER_GEO_IP_CHECK,allow,msg:'skip geoip'"* * * *SecMarker GEO_IP_CHECK* *SecRule REMOTE_ADDR "^10\.128\.76\.50$" "phase:1,drop,msg:'ip block',logdata:'%{PATH_INFO}'"* *SecRule REMOTE_ADDR @geoLookup \* *"phase:1,chain,log,ctl:ruleEngine=On,ctl:auditEngine=RelevantOnly,msg:'non-us-ca country code logged Geo-IP',logdata:'client ip: %{REMOTE_ADDR},%{GEO:COUNTRY_CODE}'"* * * *SecRule GEO:COUNTRY_CODE "!@within US CA"* * * *SecMarker AFTER_GEO_IP_CHECK* * * *## end of rules* * * * the problem: as the rules above, when a client (10.128.76.50) connects, the 'skipAfter' should skip the rule block in the 'SecMarker'; In reality, the request is always caught by the first rule inside 'SecMarker'. questions: 0. the modsecurity i use is 2.5.9; i believe 'skipAfter','secmarker' are both supported by this version, correct? 1. other than using 'skipAfter', 'secmarker', are there other options that i can have some url to bypass a block of rules? 2. if i want to debug why the 'skipAfter' never triggers, how can i have it produce detailed debug info? i increase the debuglevel to 9 before the 'skipAfter' rule, but it does not have any log related to 'skipAfter' * * * On Wed, May 25, 2011 at 2:37 AM, Christian Bockermann <ch...@jw...>wrote: > Hi Li, > > thanks for restating your objectives. That's much clearer, now. > > Am 25.05.2011 um 02:05 schrieb Yi Li: > > > Ryan, phoenix, thank you to both for the comments. > > > > it seems I confuse people when I use the sample inspection rule 'block > 10.128.76.50' to illustrate what I want to achieve. sorry for the > confusion. > > > > let me explain again what i would like to achieve: > > > > 1. currently i already have an working rule based on country code from > GeoIP. now I want to fine-tune the rule so the inspection is applied only > to 2 specific web pages (currently it inspects requests to any of the web > pages protected by modsecurity).. > > > > 2. still with the country code blocking rule, I want to allow request > from a certain IP range bypass the country code blocking rule. > > A while back, ModSecurity introduced "markers", which can be used to jump > around within > the rulesets. Following the structure of your objectives, this might be a > straight forward > approach by using the markers. > In the following I put your Geo IP rule into up a block surrounded by a > GEO_IP_CHECK and a > AFTER_GEO_IP_CHECK marker. In the beginning I set up a few rules to skip > this block of > Geo IP checks for the objectives you defined. > > > SecDefaultAction "phase:1,pass" > > # Objective #1: Skip the GeoIP check rules for the specific URLs > # > SecRule REQUEST_URI "@eq /your/url1" > skipAfter:AFTER_GEO_IP_CHECK,log,msg:'Skipping GeoIP check for URI > %{REQUEST_URI}' > SecRule REQUEST_URI "@eq /your/url2" > skipAfter:AFTER_GEO_IP_CHECK,log,msg:'Skipping GeoIP check for URI > %{REQUEST_URI}' > > # Objective #2: Bypass the GeoIP check for specific remote addresses > # > SecRule REMOTE_ADDR "@rx ^192\.168\.30\.\d+$" > skipAfter:AFTER_GEO_IP_CHECK,log,msg:'Skipping GeoIP check for local > network' > > > # this marks the beginning of the GEO_IP_CHECK > # > SecMarker GEO_IP_CHECK > > # put your GEO IP lookup rule into this block: > # > SecRule REMOTE_ADDR @geoLookup \ > > "phase:1,chain,drop,ctl:ruleEngine=DetectionOnly,ctl:auditEngine=On,msg:'banned > country code Geo-IP',logdata:'client ip:%{REMOTE_ADDR},%{GEO:COUNTRY_CODE}'" > SecRule GEO:COUNTRY_CODE "!@within US" > > > # this marks the end of the GEO_IP_CHECK > SecMarker AFTER_GEO_IP_CHECK > > > So, the basic idea is to have a block of checks, which is marked with > GEO_IP_CHECK and > AFTER_GEO_IP_CHECK and write "exception rules" at the beginning, which skip > this block > for specific URLs and IP addresses. > > Note, that the GEO_IP_CHECK marker at the beginning is not used, I just put > it there > for visualizing where the start of the Geo IP block is. > > > Best regards, > Chris |