[mod-security-users] SecRule TX:HIGH_RISK_COUNTRY_CODES does not trigger ?

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Hello all,

First post in this list !

I’m playing with what should be a super-simple setup (NGINX+modsecurity+CRS 3.0).
Still, not everything is working as expected.

I’m trying to block requests from some countries (I’m testing from a CH IP).

In my REQUEST-910-IP-REPUTATION.conf sits the rule which I want to use:

#
# -=[ GeoIP Checks ]=-
#
# This rule requires activating the SecGeoLookupDB directive
# in the crs-setup.conf file and specifying
# the list of blocked countries (tx.high_risk_country_codes).
#
# This rule does a GeoIP resolution on the client IP address.
#
SecRule TX:HIGH_RISK_COUNTRY_CODES "!^$" \
"msg:'Client IP is from a HIGH Risk Country Location.',\
 severity:'CRITICAL',\
 id:910100,\
 phase:request,\
 log,\
 block,\
 t:none,\
 tag:'application-multi',\
 tag:'language-multi',\
 tag:'platform-multi',\
 tag:'attack-reputation-ip',\
 chain"
 SecRule TX:REAL_IP "@geoLookup" \
  "chain"
   SecRule GEO:COUNTRY_CODE "@within %{tx.high_risk_country_codes}" \
    "setvar:'tx.msg=%{rule.msg}',\
     setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
     setvar:tx.%{rule.id <http://rule.id/>}-AUTOMATION/MALICIOUS-%{matched_var_name}=%{matched_var},\
     setvar:ip.reput_block_flag=1,\
     expirevar:ip.reput_block_flag=%{tx.reput_block_duration},\
     setvar:'ip.reput_block_reason=%{rule.msg}'"

And in my crs-setup.conf I have:

SecAction \
"id:900600,\
 phase:1,\
 log,\
 pass,\
 t:none,\
 setvar:'tx.high_risk_country_codes=CH YU LT EG’"

Now, I can find rule ID 900600 in my audit log but not rule ID 910100, see below. 

---UkhFLq7B---A--
[04/Jan/2018:14:20:10 +0000] 151507561010.797697 37.0.34.57 28266 37.0.34.57 80
---UkhFLq7B---B--
GET / HTTP/1.1
Host: xxxxxx.northeurope.cloudapp.azure.com <http://xxxxxx.northeurope.cloudapp.azure.com/>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:57.0) Gecko/20100101 Firefox/57.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
If-Modified-Since: Tue, 26 Dec 2017 16:01:12 GMT
If-None-Match: "5a427248-264"

---UkhFLq7B---D--

---UkhFLq7B---F--
HTTP/1.1 304
Server: nginx/1.13.8
Date: Thu, 04 Jan 2018 14:20:10 GMT
Last-Modified: Tue, 26 Dec 2017 16:01:12 GMT
Connection: keep-alive
ETag: "5a427248-264"

---UkhFLq7B---H--
ModSecurity: Warning.  [file "/etc/nginx/modsec/crs-setup.conf"] [line "563"] [id "900600"] [rev ""] [msg ""] [data ""] [severity "0"] [ver ""] [maturity "0"] [accuracy "0"] [hostname "37.0.34.57"] [uri "/"] [unique_id "151507561010.797697"] [ref ""]

---UkhFLq7B---I--

---UkhFLq7B---J--

---UkhFLq7B---Z--

My “paranoia level" is set to 1. I know for sure that CRS rules are enforced, if I change the paranoia level to 4 and launch requests containing special characters other rules do trigger.

Thanks a lot for your help with this.

Best,

Fred