Re: [Mod-security-developers] Question regarding transaction::processConnection()

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Sounds like it is a good idea to always call ProcessConnection(). If this
is the case, then I'm still confused on how I can do this for the XFF case.
My application has ModSec built into it. So, if I want to call
ProcessConnection() from my application, I believe I must:

 1 - Invoke it early in the transaction phase (before processing request
headers, body, etc).
 2 - Pass it serverIP/serverPort which identifies my application that has
ModSec built into it.
 3 - Pass it clientIP/clientPort which identifies the client making the
request.

For #3, an earlier email stated:

In that case, it is safe to use the ip that initiated the request (tcp
request). That is the same scenario as having ModSecurity behind a reverse
proxy of some sort.

For XFF requests, the ip that initiated the request will not accurately
identify the client. Instead, it may identify a load balancer or similar
entity which is in front of my application. If this ip is used to identify
the client, it is not accurate, and all rules will be operating against a
load balancer or similar entity rather than the true client.

On Thu, Mar 8, 2018 at 8:03 AM, Felipe Costa <FC...@tr...> wrote:

> Hi Jai,
>
>
>
> That is an assumption that may be true on a given time frame. The library
> can do something else in a near future and it will assume that this method
> is being called from whomever is consume it. That is one of the reasons
> that calling this method is important.
>
>
>
> Br.,
>
> *Felipe “Zimmerle” Costa*
>
> Security Researcher, Lead Developer ModSecurity.
>
>
>
> *Trustwave* | SMART SECURITY ON DEMAND
>
> *www.trustwave.com <http://www.trustwave.com/>*
>
>
>
> *From: *Jai Harpalani <jai...@mu...>
> *Date: *Thursday, March 8, 2018 at 1:53 AM
> *To: *Felipe Costa <FC...@tr...>
> *Cc: *Robert Paprocki <rpa...@fe...>, "
> mod...@li..." <mod-security-developers@
> lists.sourceforge.net>
> *Subject: *Re: [Mod-security-developers] Question regarding transaction::
> processConnection()
>
>
>
> Searching through the CRS rules, I see that real_ip is used for DOS and
> IP_REPUTATION rules. I am excluding those rules for my specific
> application. Due to these exclusions, it seems like the call to
> ProcessConnection() is required only to set the uniqueID. Is this an
> accurate statement?
>
>
>
> (…)
>