mod-security-users Mailing List for ModSecurity (Page 50)

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Hello all,

First post in this list !

I’m playing with what should be a super-simple setup (NGINX+modsecurity+CRS 3.0).
Still, not everything is working as expected.

I’m trying to block requests from some countries (I’m testing from a CH IP).

In my REQUEST-910-IP-REPUTATION.conf sits the rule which I want to use:

#
# -=[ GeoIP Checks ]=-
#
# This rule requires activating the SecGeoLookupDB directive
# in the crs-setup.conf file and specifying
# the list of blocked countries (tx.high_risk_country_codes).
#
# This rule does a GeoIP resolution on the client IP address.
#
SecRule TX:HIGH_RISK_COUNTRY_CODES "!^$" \
"msg:'Client IP is from a HIGH Risk Country Location.',\
 severity:'CRITICAL',\
 id:910100,\
 phase:request,\
 log,\
 block,\
 t:none,\
 tag:'application-multi',\
 tag:'language-multi',\
 tag:'platform-multi',\
 tag:'attack-reputation-ip',\
 chain"
 SecRule TX:REAL_IP "@geoLookup" \
  "chain"
   SecRule GEO:COUNTRY_CODE "@within %{tx.high_risk_country_codes}" \
    "setvar:'tx.msg=%{rule.msg}',\
     setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
     setvar:tx.%{rule.id <http://rule.id/>}-AUTOMATION/MALICIOUS-%{matched_var_name}=%{matched_var},\
     setvar:ip.reput_block_flag=1,\
     expirevar:ip.reput_block_flag=%{tx.reput_block_duration},\
     setvar:'ip.reput_block_reason=%{rule.msg}'"

And in my crs-setup.conf I have:

SecAction \
"id:900600,\
 phase:1,\
 log,\
 pass,\
 t:none,\
 setvar:'tx.high_risk_country_codes=CH YU LT EG’"

Now, I can find rule ID 900600 in my audit log but not rule ID 910100, see below. 

---UkhFLq7B---A--
[04/Jan/2018:14:20:10 +0000] 151507561010.797697 37.0.34.57 28266 37.0.34.57 80
---UkhFLq7B---B--
GET / HTTP/1.1
Host: xxxxxx.northeurope.cloudapp.azure.com <http://xxxxxx.northeurope.cloudapp.azure.com/>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:57.0) Gecko/20100101 Firefox/57.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
If-Modified-Since: Tue, 26 Dec 2017 16:01:12 GMT
If-None-Match: "5a427248-264"

---UkhFLq7B---D--

---UkhFLq7B---F--
HTTP/1.1 304
Server: nginx/1.13.8
Date: Thu, 04 Jan 2018 14:20:10 GMT
Last-Modified: Tue, 26 Dec 2017 16:01:12 GMT
Connection: keep-alive
ETag: "5a427248-264"

---UkhFLq7B---H--
ModSecurity: Warning.  [file "/etc/nginx/modsec/crs-setup.conf"] [line "563"] [id "900600"] [rev ""] [msg ""] [data ""] [severity "0"] [ver ""] [maturity "0"] [accuracy "0"] [hostname "37.0.34.57"] [uri "/"] [unique_id "151507561010.797697"] [ref ""]

---UkhFLq7B---I--

---UkhFLq7B---J--

---UkhFLq7B---Z--

My “paranoia level" is set to 1. I know for sure that CRS rules are enforced, if I change the paranoia level to 4 and launch requests containing special characters other rules do trigger.

Thanks a lot for your help with this.

Best,

Fred

2003	Jan	Feb	Mar	Apr	May	Jun (2)	Jul (17)	Aug (7)	Sep (8)	Oct (11)	Nov (14)	Dec (19)
2004	Jan (46)	Feb (14)	Mar (20)	Apr (48)	May (15)	Jun (20)	Jul (36)	Aug (24)	Sep (31)	Oct (28)	Nov (23)	Dec (12)
2005	Jan (69)	Feb (61)	Mar (82)	Apr (53)	May (26)	Jun (71)	Jul (27)	Aug (52)	Sep (28)	Oct (49)	Nov (104)	Dec (74)
2006	Jan (61)	Feb (148)	Mar (82)	Apr (139)	May (65)	Jun (116)	Jul (92)	Aug (101)	Sep (84)	Oct (103)	Nov (174)	Dec (102)
2007	Jan (166)	Feb (161)	Mar (181)	Apr (152)	May (192)	Jun (250)	Jul (127)	Aug (165)	Sep (97)	Oct (135)	Nov (206)	Dec (56)
2008	Jan (160)	Feb (135)	Mar (98)	Apr (89)	May (115)	Jun (95)	Jul (188)	Aug (167)	Sep (153)	Oct (84)	Nov (82)	Dec (85)
2009	Jan (139)	Feb (133)	Mar (128)	Apr (105)	May (135)	Jun (79)	Jul (92)	Aug (134)	Sep (73)	Oct (112)	Nov (159)	Dec (80)
2010	Jan (100)	Feb (116)	Mar (130)	Apr (59)	May (88)	Jun (59)	Jul (69)	Aug (67)	Sep (82)	Oct (76)	Nov (59)	Dec (34)
2011	Jan (84)	Feb (74)	Mar (81)	Apr (94)	May (188)	Jun (72)	Jul (118)	Aug (109)	Sep (111)	Oct (80)	Nov (51)	Dec (44)
2012	Jan (80)	Feb (123)	Mar (46)	Apr (12)	May (40)	Jun (62)	Jul (95)	Aug (66)	Sep (65)	Oct (53)	Nov (42)	Dec (60)
2013	Jan (96)	Feb (96)	Mar (108)	Apr (72)	May (115)	Jun (111)	Jul (114)	Aug (87)	Sep (93)	Oct (97)	Nov (104)	Dec (82)
2014	Jan (96)	Feb (77)	Mar (71)	Apr (40)	May (48)	Jun (78)	Jul (54)	Aug (44)	Sep (58)	Oct (79)	Nov (51)	Dec (52)
2015	Jan (55)	Feb (59)	Mar (48)	Apr (40)	May (45)	Jun (63)	Jul (36)	Aug (49)	Sep (35)	Oct (58)	Nov (21)	Dec (47)
2016	Jan (35)	Feb (81)	Mar (43)	Apr (41)	May (77)	Jun (52)	Jul (39)	Aug (34)	Sep (107)	Oct (67)	Nov (54)	Dec (20)
2017	Jan (99)	Feb (37)	Mar (86)	Apr (47)	May (57)	Jun (55)	Jul (34)	Aug (31)	Sep (16)	Oct (49)	Nov (53)	Dec (33)
2018	Jan (25)	Feb (11)	Mar (79)	Apr (77)	May (5)	Jun (19)	Jul (17)	Aug (7)	Sep (13)	Oct (22)	Nov (13)	Dec (68)
2019	Jan (44)	Feb (17)	Mar (40)	Apr (39)	May (18)	Jun (14)	Jul (20)	Aug (31)	Sep (11)	Oct (35)	Nov (3)	Dec (10)
2020	Jan (32)	Feb (16)	Mar (10)	Apr (22)	May (2)	Jun (34)	Jul (1)	Aug (8)	Sep (36)	Oct (16)	Nov (13)	Dec (10)
2021	Jan (16)	Feb (23)	Mar (45)	Apr (28)	May (6)	Jun (17)	Jul (8)	Aug (1)	Sep (2)	Oct (35)	Nov	Dec (5)
2022	Jan	Feb (17)	Mar (23)	Apr (23)	May (9)	Jun (8)	Jul	Aug	Sep (7)	Oct (5)	Nov (16)	Dec (4)
2023	Jan	Feb	Mar (3)	Apr	May (1)	Jun (4)	Jul (1)	Aug	Sep (2)	Oct (1)	Nov	Dec
2024	Jan (7)	Feb (13)	Mar (18)	Apr	May	Jun	Jul	Aug	Sep (2)	Oct (1)	Nov (5)	Dec (3)
2025	Jan	Feb	Mar	Apr (12)	May (12)	Jun (2)	Jul (3)	Aug	Sep	Oct	Nov	Dec

mod-security-users Mailing List for ModSecurity (Page 50)

mod-security-users — General discussion about mod_security