Re: [Mod-security-rules] Show GEO DAT in modsec logs

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Hi, 

 I think you can add the country code in the request header and then you can log header in apache.

Best,

Marc
—
Sent from Mailbox

On Wed, Aug 13, 2014 at 9:32 AM, kinomakino <kin...@ho...>
wrote:

> Thank you very much sir !! 
> Not exactly what I need, perhaps the google translator xD I failed. 
> Right now I have 20,000 rules. I have configured it NOT alert modsec with
> error codes 500 or 200. 
> I use this rule if you've happened to me, shows me ALL codes 200. 
> This is not about me because I joined modsec with fail2ban, then this rule,
> bans ALL legitimate connections (200). 
> I hope I explained. 
> What I need is that my alerts 403, as I have now, show a field with country
> code 
> Thank you !!!
>  
> ////
> Siendo de Barcelona... en Español también xD.
>  
> Si hago esa regla que me has indicado, me empieza a mostrar todos los
> códigos 200, y como comprenderás, eso no funciona bien.
>  
> Gracias Marc !!!
>  
>  
>   _____  
> De: Marc Cortinas Val [mailto:mar...@gm...] 
> Enviado el: miércoles, 13 de agosto de 2014 0:19
> Para: kinomakino
> CC: mod...@li...
> Asunto: Re: [Mod-security-rules] Show GEO DAT in modsec logs
>  
> Hello,
>  
>  I think you can logging it with audit log from mod security.
>  Logging directives:
> {code}
>     SecAuditEngine On
>     SecAuditLogParts ABIJDEFHZ
>     SecAuditLogType Serial
>     SecAuditLog /var/log/httpd/modsec_audit.log
> {code}
>  
>  Rule:
> {code}
> SecRule REQUEST_HEADERS:X-Forwarded-For "@geoLookup"
> "id:'999015',phase:1,t:none,pass,log,auditlog,msg:'IP Country is:
> %{geo.country_code} and X-Forwarded-For is: %{matched_var}'"
> {code}
>  
> My apache is rear varnish and I evaluate remote IP from header
> :X-Forwarded-For, but you can use REMOTE_ADDR instead of
> REQUEST_HEADERS:X-Forwarded-Fo
>  
> King regards,
> Marc
>  
> On 12 August 2014 20:33, kinomakino <kin...@ho...> wrote:
> First, thanks for everything. sorry for my English. 
> I wonder if there is any way to use IP Geolocation in ModSec logs. 
> That is, I wish for all my active rules, show me the country code in the
> logs. 
> Thanks for everything. 
> now if I do this: 
> SecGeoLookupDb /home/jmolina/GeoLiteCity.dat 
> #SecRule REMOTE_ADDR "geoLookup" "phase: 1, id: 13102, t: none, pass, log,
> msg: '% {GEO.COUNTRY_CODE}'" 
> geolocation to show me ALL connections, including HTTP 200 usually does not
> show me.
> ----------------------------------------------------------------------------
> --
> _______________________________________________
> Mod-security-rules mailing list
> Mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-rules
>  
> -- 
> Marc Cortinas Val
> 600604388
> mar...@gm...