[Mod-security-rules] mode_security IP whitlist issue

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Hello,

We are using mod_security to blacklist/whitelist IP's in out project.
As part of some testing we found that some functionality is not working as
expected.

We have rules specified in in main_setup.conf as below.

SecRule REMOTE_ADDR "@ipMatchFromFile
/etc/opt/cpf/conf/modsecurity_whitelist" "id:250000004,phase:1,nolog,allow"
SecRule REMOTE_ADDR "@ipMatchFromFile
/etc/opt/cpf/conf/modsecurity_whitelist"
"id:250000005,phase:5,nolog,skipAfter:WHITELIST_NOLOG"

This should read the file and white list the ip's in them.

Issue:
When we provide IPV6 IP's in the file in expanded format (example
:fc00:0008:0000:6613:0000:0000:0000:003e), if the source is the same IPV6
adrress but in short format, then the rules do not take effect.
But if we have a rule like SecRule REMOTE_ADDR "@ipMatch
::1,fc00:0008:0000:6613:0000:0000:0000:003e , then irrespective of the
source ipv6 format, the whitelisting works.

Is this an issue? We have  ModSecurity for Apache/2.7.3

Regards!
Arjun