Re: [mod-security-users] Can we consume Third Part IP reputation list?
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] Can we consume Third Part IP reputation list?
|
From: homesh j. <ho...@gm...> - 2020-04-13 13:14:24
|
Hi Blason, If you can keep a IP list in a txt file e.g bad-ip.txt e.g cat bad-ip.txt 1.1.1.1 2.2.2.2 . . n.n.n.n The you can call this list in a modsec rule like below mention example. SecRule REMOTE_ADDR "@ipMatchFromFile /file-path-for bad-ip.txt/bad-ip.txt" "id:6005,\ phase:request,log,\ msg:'Threat Intel',\ tag:'Local-bad-reputation',\ severity:'CRITICAL',\ maturity:'9',\ accuracy:'9',\ rev:'1',\ capture,\ drop" I have set action as "drop" which will do "tcp reset" and hence save my Apache sessions from getting full by these bad IPs After every time you update the file you will need to reload / restart the Apache service. I am running this with Apache 2.4 and modsecurity 2.9.3 for past 1 year with out any issue. Hope this helps. Thanks, Homesh On Mon, Apr 13, 2020 at 4:38 PM Blason R <bla...@gm...> wrote: > Hi Folks, > > Wondering if we can consume any third party IP reputation list through > modsec? > Just like we internally generate our own IP reputation list through > honeypot and wanted to know if I can use that? > > TIA > Blason R > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ > |
