Re: [Mod-security-rules] Show GEO DAT in modsec logs

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Thank you very much sir !! 
Not exactly what I need, perhaps the google translator xD I failed. 

Right now I have 20,000 rules. I have configured it NOT alert modsec with
error codes 500 or 200. 

I use this rule if you've happened to me, shows me ALL codes 200. 

This is not about me because I joined modsec with fail2ban, then this rule,
bans ALL legitimate connections (200). 

I hope I explained. 

What I need is that my alerts 403, as I have now, show a field with country
code 

Thank you !!!

////

Siendo de Barcelona... en Español también xD.

Si hago esa regla que me has indicado, me empieza a mostrar todos los
códigos 200, y como comprenderás, eso no funciona bien.

Gracias Marc !!!

  _____  

De: Marc Cortinas Val [mailto:mar...@gm...] 
Enviado el: miércoles, 13 de agosto de 2014 0:19
Para: kinomakino
CC: mod...@li...
Asunto: Re: [Mod-security-rules] Show GEO DAT in modsec logs

Hello,

 I think you can logging it with audit log from mod security.

 Logging directives:

{code}

    SecAuditEngine On

    SecAuditLogParts ABIJDEFHZ

    SecAuditLogType Serial

    SecAuditLog /var/log/httpd/modsec_audit.log

{code}

 Rule:

{code}

SecRule REQUEST_HEADERS:X-Forwarded-For "@geoLookup"
"id:'999015',phase:1,t:none,pass,log,auditlog,msg:'IP Country is:
%{geo.country_code} and X-Forwarded-For is: %{matched_var}'"

{code}

My apache is rear varnish and I evaluate remote IP from header
:X-Forwarded-For, but you can use REMOTE_ADDR instead of
REQUEST_HEADERS:X-Forwarded-Fo

King regards,

Marc

On 12 August 2014 20:33, kinomakino <kin...@ho...> wrote:

First, thanks for everything. sorry for my English. 
I wonder if there is any way to use IP Geolocation in ModSec logs. 
That is, I wish for all my active rules, show me the country code in the
logs. 

Thanks for everything. 
now if I do this: 
SecGeoLookupDb /home/jmolina/GeoLiteCity.dat 
#SecRule REMOTE_ADDR "geoLookup" "phase: 1, id: 13102, t: none, pass, log,
msg: '% {GEO.COUNTRY_CODE}'" 

geolocation to show me ALL connections, including HTTP 200 usually does not
show me.

----------------------------------------------------------------------------
--

_______________________________________________
Mod-security-rules mailing list
Mod...@li...
https://lists.sourceforge.net/lists/listinfo/mod-security-rules

-- 
Marc Cortinas Val
600604388
mar...@gm...