Re: [Mod-security-rules] Show GEO DAT in modsec logs
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [Mod-security-rules] Show GEO DAT in modsec logs
|
From: Marc C. V. <mar...@gm...> - 2014-08-15 19:56:33
|
Hi,
I think you can add the country code in the request header and then you can log header in apache.
Best,
Marc
—
Sent from Mailbox
On Wed, Aug 13, 2014 at 9:32 AM, kinomakino <kin...@ho...>
wrote:
> Thank you very much sir !!
> Not exactly what I need, perhaps the google translator xD I failed.
> Right now I have 20,000 rules. I have configured it NOT alert modsec with
> error codes 500 or 200.
> I use this rule if you've happened to me, shows me ALL codes 200.
> This is not about me because I joined modsec with fail2ban, then this rule,
> bans ALL legitimate connections (200).
> I hope I explained.
> What I need is that my alerts 403, as I have now, show a field with country
> code
> Thank you !!!
>
> ////
> Siendo de Barcelona... en Español también xD.
>
> Si hago esa regla que me has indicado, me empieza a mostrar todos los
> códigos 200, y como comprenderás, eso no funciona bien.
>
> Gracias Marc !!!
>
>
> _____
> De: Marc Cortinas Val [mailto:mar...@gm...]
> Enviado el: miércoles, 13 de agosto de 2014 0:19
> Para: kinomakino
> CC: mod...@li...
> Asunto: Re: [Mod-security-rules] Show GEO DAT in modsec logs
>
> Hello,
>
> I think you can logging it with audit log from mod security.
> Logging directives:
> {code}
> SecAuditEngine On
> SecAuditLogParts ABIJDEFHZ
> SecAuditLogType Serial
> SecAuditLog /var/log/httpd/modsec_audit.log
> {code}
>
> Rule:
> {code}
> SecRule REQUEST_HEADERS:X-Forwarded-For "@geoLookup"
> "id:'999015',phase:1,t:none,pass,log,auditlog,msg:'IP Country is:
> %{geo.country_code} and X-Forwarded-For is: %{matched_var}'"
> {code}
>
> My apache is rear varnish and I evaluate remote IP from header
> :X-Forwarded-For, but you can use REMOTE_ADDR instead of
> REQUEST_HEADERS:X-Forwarded-Fo
>
> King regards,
> Marc
>
> On 12 August 2014 20:33, kinomakino <kin...@ho...> wrote:
> First, thanks for everything. sorry for my English.
> I wonder if there is any way to use IP Geolocation in ModSec logs.
> That is, I wish for all my active rules, show me the country code in the
> logs.
> Thanks for everything.
> now if I do this:
> SecGeoLookupDb /home/jmolina/GeoLiteCity.dat
> #SecRule REMOTE_ADDR "geoLookup" "phase: 1, id: 13102, t: none, pass, log,
> msg: '% {GEO.COUNTRY_CODE}'"
> geolocation to show me ALL connections, including HTTP 200 usually does not
> show me.
> ----------------------------------------------------------------------------
> --
> _______________________________________________
> Mod-security-rules mailing list
> Mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-rules
>
> --
> Marc Cortinas Val
> 600604388
> mar...@gm... |
