mod-security-users

[mod-security-users] GeoIP match rule, problem

[Yi Li <yi...@gm...>]

hi, wish someone could give me a help here.

I want to write a rule that block http traffic whose source IP is from any
country other than US.

I can list all country code and use a @within operator, which actually
works.

but i want to find a better way, so I try to negate @within then it fails.

here is what I did:

# Specify GeoIP datafeed
    SecGeoLookupDb /etc/httpd/conf/modsecurity/GeoIP-106_20090512.dat


# GeoIP blocking rule, including complete country codes
  SecRule REMOTE_ADDR @geoLookup \

"phase:1,chain,drop,ctl:ruleEngine=DetectionOnly,ctl:auditEngine=On,msg:'banned
country code Geo-IP',logdata:'client ip:
%{REMOTE_ADDR},%{GEO:COUNTRY_CODE}'"

SecRule GEO:COUNTRY_CODE "!@within US"

   SecRule REMOTE_ADDR "@rx ^10\.128\.80\.10$" \
   "phase:1,redirect:http://www.yahoo.com
,ctl:ruleEngine=On,ctl:auditEngine=Rele
vantOnly,msg:'banned IP',logdata:'client ip: %{REMOTE_ADDR},%{REMOTE_ADDR}'"


my test case:

  1. connect to the web server from an internal IP 10.128.x.x.
   2. the negate rule never triggers

i checked the GeoIP database, the address '10.128.x.x' does not match any
country IP so the returned geo coutry code should be a blank string, which
should trigger the SecRule GEO:COUNTRY_CODE "!@within US".


any thoughts would be appreciated.

another related questions is that whether there is any tool which allows me
to generate http traffics but I can manipulate the source IP of these http
requests.

thanks in advance.

Re: [mod-security-users] GeoIP match rule, problem

[Brian R. <Bri...@br...>]

Yi Li wrote:
> hi, wish someone could give me a help here.
>
> I want to write a rule that block http traffic whose source IP is from
> any country other than US.
>
> I can list all country code and use a @within operator, which actually
> works.
>
> but i want to find a better way, so I try to negate @within then it fails.
>
> here is what I did:
>
> # Specify GeoIP datafeed
>      SecGeoLookupDb /etc/httpd/conf/modsecurity/GeoIP-106_20090512.dat
>
>
> # GeoIP blocking rule, including complete country codes
>    SecRule REMOTE_ADDR @geoLookup \
> "phase:1,chain,drop,ctl:ruleEngine=DetectionOnly,ctl:auditEngine=On,msg:'banned
> country code Geo-IP',logdata:'client ip:
> %{REMOTE_ADDR},%{GEO:COUNTRY_CODE}'"
>
> SecRule GEO:COUNTRY_CODE "!@within US"
>
>     SecRule REMOTE_ADDR "@rx ^10\.128\.80\.10$" \
> "phase:1,redirect:http://www.yahoo.com,ctl:ruleEngine=On,ctl:auditEngine=Rele
> vantOnly,msg:'banned IP',logdata:'client ip: %{REMOTE_ADDR},%{REMOTE_ADDR}'"
>
>
> my test case:
>
>    1. connect to the web server from an internal IP 10.128.x.x.
>     2. the negate rule never triggers
>
> i checked the GeoIP database, the address '10.128.x.x' does not match
> any country IP so the returned geo coutry code should be a blank string,
> which should trigger the SecRule GEO:COUNTRY_CODE "!@within US".
>
>
> any thoughts would be appreciated.
>
> another related questions is that whether there is any tool which allows
> me to generate http traffics but I can manipulate the source IP of these
> http requests.
>
> thanks in advance.
>

This is actually documented as an example for GEO:

SecRule GEO:COUNTRY_CODE "!@streq GB"

Just change that to US?

-B

-- 
Brian Rectanus
Breach Security

Re: [mod-security-users] GeoIP match rule, problem

[Yi Li <yi...@gm...>]

thanks.
I may want to allow up to 20 countries finally. using within to block over
140 country code does not sound like a good idea  so i am looking at negate
@winthin.
any easy way of doing so?



On Wed, Sep 30, 2009 at 6:41 PM, Brian Rectanus
<Bri...@br...>wrote:

> Yi Li wrote:
>
>> hi, wish someone could give me a help here.
>>
>> I want to write a rule that block http traffic whose source IP is from
>> any country other than US.
>>
>> I can list all country code and use a @within operator, which actually
>> works.
>>
>> but i want to find a better way, so I try to negate @within then it fails.
>>
>> here is what I did:
>>
>> # Specify GeoIP datafeed
>>     SecGeoLookupDb /etc/httpd/conf/modsecurity/GeoIP-106_20090512.dat
>>
>>
>> # GeoIP blocking rule, including complete country codes
>>   SecRule REMOTE_ADDR @geoLookup \
>>
>> "phase:1,chain,drop,ctl:ruleEngine=DetectionOnly,ctl:auditEngine=On,msg:'banned
>> country code Geo-IP',logdata:'client ip:
>> %{REMOTE_ADDR},%{GEO:COUNTRY_CODE}'"
>>
>> SecRule GEO:COUNTRY_CODE "!@within US"
>>
>>    SecRule REMOTE_ADDR "@rx ^10\.128\.80\.10$" \
>> "phase:1,redirect:http://www.yahoo.com
>> ,ctl:ruleEngine=On,ctl:auditEngine=Rele
>> vantOnly,msg:'banned IP',logdata:'client ip:
>> %{REMOTE_ADDR},%{REMOTE_ADDR}'"
>>
>>
>> my test case:
>>
>>   1. connect to the web server from an internal IP 10.128.x.x.
>>    2. the negate rule never triggers
>>
>> i checked the GeoIP database, the address '10.128.x.x' does not match
>> any country IP so the returned geo coutry code should be a blank string,
>> which should trigger the SecRule GEO:COUNTRY_CODE "!@within US".
>>
>>
>> any thoughts would be appreciated.
>>
>> another related questions is that whether there is any tool which allows
>> me to generate http traffics but I can manipulate the source IP of these
>> http requests.
>>
>> thanks in advance.
>>
>>
> This is actually documented as an example for GEO:
>
> SecRule GEO:COUNTRY_CODE "!@streq GB"
>
> Just change that to US?
>
> -B
>
> --
> Brian Rectanus
> Breach Security
>