Re: [mod-security-users] Whitelisting an IP address.
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] Whitelisting an IP address.
|
From: Ryan B. <RBa...@tr...> - 2011-08-09 14:16:19
|
Just a quick note about whitelisting IP addresses.
If you only need to analyze a single IP address then you probably want to use @streq vs. other operators such as @rx or even @ipMatch. @streq is easier to use vs. @rx since you don't need to worry about escaping the "dot" chars or using anchoring -
SecRule REMOTE_ADDR "@streq 127.0.0.1" "phase:1,t:none,nolog,pass"
SecRule REMOTE_ADDR "@rx ^127\.0\.0\.1$" "phase:1,t:none,nolog,pass"
@streq is also faster than using @ipMatch for single IP address. As a simple example, I tested with these two rules -
SecRule REMOTE_ADDR "@streq 127.0.0.1" "phase:1,t:none,nolog,pass"
SecRule REMOTE_ADDR "@ipMatch 127.0.0.1" "phase:1,t:none,nolog,pass"
Here is the resulting debug log. Notice the bolded lines which tell you how long it took for the operator to complete -
Recipe: Invoking rule 1009bd450; [file "/usr/local/apache/conf/crs/activated_rules/modsecurity_crs_15_customrules.conf"] [line "1"].
Rule 1009bd450: SecRule "REMOTE_ADDR" "@streq 127.0.0.1" "phase:1,t:none,nolog,pass"
Transformation completed in 0 usec.
Executing operator "streq" with param "127.0.0.1" against REMOTE_ADDR.
Target value: "127.0.0.1"
Operator completed in 1 usec.
Warning. String match "127.0.0.1" at REMOTE_ADDR. [file "/usr/local/apache/conf/crs/activated_rules/modsecurity_crs_15_customrules.conf"] [line "1"]
Rule returned 1.
Match -> mode NEXT_RULE.
Recipe: Invoking rule 1009bdb48; [file "/usr/local/apache/conf/crs/activated_rules/modsecurity_crs_15_customrules.conf"] [line "2"].
Rule 1009bdb48: SecRule "REMOTE_ADDR" "@ipMatch 127.0.0.1" "phase:1,t:none,nolog,pass"
Transformation completed in 0 usec.
Executing operator "ipMatch" with param "127.0.0.1" against REMOTE_ADDR.
Target value: "127.0.0.1"
Operator completed in 7 usec.
Warning. IPmatch "127.0.0.1" matched "127.0.0.1" at REMOTE_ADDR. [file "/usr/local/apache/conf/crs/activated_rules/modsecurity_crs_15_customrules.conf"] [line "2"]
Rule returned 1.
Match -> mode NEXT_RULE.
As you can see, @streq took only 1 usec while @ipMatch took 7 usec. So if you have very simple IP address rules, and you are concerned about performance, you should use @streq. For all other scenarios (multiple IP addresses, ranges, etc…) you should use @ipMatch as it will be more accurate and easier to read.
-Ryan
From: Breno Silva <bre...@gm...<mailto:bre...@gm...>>
Date: Mon, 8 Aug 2011 15:47:58 -0500
To: Christian Bockermann <ch...@jw...<mailto:ch...@jw...>>
Cc: "mod...@li...<mailto:mod...@li...>" <mod...@li...<mailto:mod...@li...>>
Subject: Re: [mod-security-users] Whitelisting an IP address.
You can also use @ipmatch operator.
Thanks
Breno
On Mon, Aug 8, 2011 at 2:51 PM, Christian Bockermann <ch...@jw...<mailto:ch...@jw...>> wrote:
Hi Abdellah,
the easiest way is to switch of ModSecurity based on the client IP:
SecRule REMOTE_ADDE "@streq 192.168.10.1" "phase:1,ctl:ruleEngine=Off,msg:'Turning off rule-engine for IP %{REMOTE_ADDR}'"
Best regards,
Chris
Am 08.08.2011 um 19:39 schrieb Abdellah Tantan:
> One of my client is unable to access the application, anybody can show me how to white list an IP address in modsecurity?
>
> I will appreciate it.
>
> Thanks
> Abdellah
>
>
> ------------------------------------------------------------------------------
> BlackBerry® DevCon Americas, Oct. 18-20, San Francisco, CA
> The must-attend event for mobile developers. Connect with experts.
> Get tools for creating Super Apps. See the latest technologies.
> Sessions, hands-on labs, demos & much more. Register early & save!
> http://p.sf.net/sfu/rim-blackberry-1_______________________________________________
> mod-security-users mailing list
> mod...@li...<mailto:mod...@li...>
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> ModSecurity Services from Trustwave's SpiderLabs:
> https://www.trustwave.com/spiderLabs.php
------------------------------------------------------------------------------
BlackBerry® DevCon Americas, Oct. 18-20, San Francisco, CA
The must-attend event for mobile developers. Connect with experts.
Get tools for creating Super Apps. See the latest technologies.
Sessions, hands-on labs, demos & much more. Register early & save!
http://p.sf.net/sfu/rim-blackberry-1
_______________________________________________
mod-security-users mailing list
mod...@li...<mailto:mod...@li...>
https://lists.sourceforge.net/lists/listinfo/mod-security-users
ModSecurity Services from Trustwave's SpiderLabs:
https://www.trustwave.com/spiderLabs.php
________________________________
This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.
|
