Re: [mod-security-users] SecRule TX:HIGH_RISK_COUNTRY_CODES does not trigger ?

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Hello Frédéric,

On Fri, Jan 05, 2018 at 09:34:13AM +0100, Frederic Fichter wrote:
> DebugLog is as follow:
> 
> [4] (Rule: 910100) Executing operator "Rx" with param "^$" against TX:HIGH_RISK_COUNTRY_CODES.
> [9] Target value: "CH YU LT EG" (Variable: TX:HIGH_RISK_COUNTRY_CODES)
> [9] Matched vars updated.
> [4] Running [independent] (non-disruptive) action: msg
> [9] Saving msg: Client IP is from a HIGH Risk Country Location.
> [4] Running [independent] (non-disruptive) action: log
> [9] Saving transaction to logs
> [4] Rule returned 1.
> [4] Executing chained rule.
> [4] (Rule: 0) Executing operator "GeoLookup" with param "" against TX:REAL_IP.
> [9] Target value: "37.0.34.57" (Variable: TX:REAL_IP)
> [4] Rule returned 0.
> [9] Matched vars cleaned.
> 
> So 910100 actually does trigger, but the “block” action is not applied. Could you shed a light on that ? :)

No, I do not think it did trigger.

If you look at the rule, it's tri-fold. The one that triggered was the
first rule that checks high-risk-countries is not empty. That seems to
be the case, so on to the 2nd rule, which is the execution of the
GeoIPLookup (look up in the book why this is done via an operator in a rule)
and that rule returned a 0. That is odd.

@Felipe: How good is the GeoIP support in 3.0? I take it this is mean to
work but it looks as if it would not.

Ahoj,

Christian

-- 
Moderation, the Golden Mean, the Aristonmetron, is the secret of
wisdom and of happiness.  But it does not mean embracing an
unadventurous mediocrity: rather it is an elaborate balancing-act, a
feat of intellectual skill demanding constant vigilance.  Its aim is a
reconciliation of opposites.
-- Robertson Davies