Re: [mod-security-users] HTTP:BL

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

Yes, I believe that if the @rbl operator check returns true (meaning that
the remote RBL had a DNS match) then the rule matches and the action would
be applied.  As I stated in the previous email - I think that we could
probably improve the @rbl check for the dnsbl.httpbl.org list so that we
can capture the returned match data and save in a TX:0 variable so that
you can the inspect that data in a subsequent chained SecRule.  This would
allow you to verify the actual threat score assigned to the IP by Project
Honeypot's HTTPBL.

-Ryan

On 7/20/11 2:53 PM, "Organic Spider" <web...@or...> wrote:

>Ryan,
>
>Am I right in thinking that if a threat score is returned, even if
>classed as low and does not even qualify as a HoneyPot IP, then the rule
>I am testing would have blocked the connection ?
>--
>Thanks,
>Organic Spider | Weaving Open Source Technology
>----- Original Message -----
>
>From: "Ryan Barnett" <rya...@ow...>
>To: "Organic Spider" <web...@or...>,
>mod...@li...
>Sent: Wednesday, 20 July, 2011 5:53:36 PM
>Subject: Re: [mod-security-users] HTTP:BL
>
>I think you want to use "pass" vs. "allow" during testing. Pass will
>process the rule and alert but it will not trigger any disruptive
>actions.
>By using allow, you are allowing the request to bypass further
>ModSecurity inspection if the @rbl check returns true.
>
>We will also look at possibly updating the @rbl operator check to be able
>to capture the returned BL msg data which would then allow you to chain
>the rule and do further inspection based on the BL's "threat score".
>
>-Ryan
>
>On 7/20/11 12:44 PM, "Organic Spider" <web...@or...>
>wrote:
>
>>I have installed 2.7 and have enabled the HTTP:BL rule in a local conf
>>file using:
>>
>># Project HoneyPot
>>SecHttpBlKey XXXXXXXXX
>>SecRule REMOTE_ADDR "@rbl dnsbl.httpbl.org"
>>"phase:1,t:none,log,allow,msg:'HTTPBL Match of Client IP.'"
>>
>>Once httpd was re-started I began to see in error.log:
>>
>>[Wed Jul 20 17:40:30 2011] [error] [client XXX.XXX.XXX.XXX] ModSecurity:
>>Access allowed (phase 1). RBL lookup of XXXXXXXXXXXXXX.dnsbl.httpbl.org
>>succeeded at REMOTE_ADDR. Search Engine: 0 days since last activity,
>>threat score 5 [file
>>"/usr/local/apache/conf/modsecurity.d/local/00_localrules.conf"] [line
>>"14"] [msg "HTTPBL Match of Client IP."] [hostname "www.XXXXXXX.com"]
>>[uri "/sitemap-xml.html"] [unique_id "TicE-k1JBusAAFw70-cAAAAG"]
>>
>>If I had left the rule as block then this connection would not have been
>>allowed? as it would appear that a score of 5 is referred to as low in
>>the eyes of HTTP:BL and the IP address is not even listed when you query
>>it. Or does the block only trigger when the threat score is within a
>>certain threshold ?
>>--
>>Thanks,
>>Organic Spider | Weaving Open Source Technology
>>
>>-------------------------------------------------------------------------
>>-
>>----
>>10 Tips for Better Web Security
>>Learn 10 ways to better secure your business today. Topics covered
>>include:
>>Web security, SSL, hacker attacks & Denial of Service (DoS), private
>>keys,
>>security Microsoft Exchange, secure Instant Messaging, and much more.
>>http://www.accelacomm.com/jaw/sfnl/114/51426210/
>>_______________________________________________
>>mod-security-users mailing list
>>mod...@li...
>>https://lists.sourceforge.net/lists/listinfo/mod-security-users
>>ModSecurity Services from Trustwave's SpiderLabs:
>>https://www.trustwave.com/spiderLabs.php

This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.