|
From: Sergio <se...@gm...> - 2013-08-27 19:14:16
|
Hi all, I have a doubt, Does the REMOTE_ADDR can use CIDR notation or is it only for exact matches as the example in the reference manual? Example: SecRule REMOTE_ADDR "@ipMatch 192.168.1.101" "id:35" I will like to use a rule that can block a range of /16's IPs. Thanks in advace. Regards, Sergio |
|
From: Josh Amishav-Z. <ja...@ow...> - 2013-08-27 19:28:26
|
On Tue, Aug 27, 2013 at 10:14 PM, Sergio <se...@gm...> wrote: > Hi all, > I have a doubt, Does the REMOTE_ADDR can use CIDR notation or is it only > for exact matches as the example in the reference manual? > > Example: > SecRule REMOTE_ADDR "@ipMatch 192.168.1.101" "id:35" > > I will like to use a rule that can block a range of /16's IPs. > > Hi Sergio, The REMOTE_ADDR variable simply holds the remote address of the client. The ipMatch operator does support CIDR notation. For example the following rule blocks a /16 address range: SecRule REMOTE_ADDR "@ipMatch 10.0.0.0/16" "phase:1,id:1,block,msg:'Blocked request due to source IP'" -- - Josh Thanks in advace. > > Regards, > > Sergio > > > ------------------------------------------------------------------------------ > Learn the latest--Visual Studio 2012, SharePoint 2013, SQL 2012, more! > Discover the easy way to master current and previous Microsoft technologies > and advance your career. Get an incredible 1,500+ hours of step-by-step > tutorial videos with LearnDevNow. Subscribe today and save! > http://pubads.g.doubleclick.net/gampad/clk?id=58040911&iu=/4140/ostg.clktrk > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ > > |
|
From: Sergio <se...@gm...> - 2013-08-28 00:03:06
|
Thank you, Josh! One more question, is it possible to check the @ipMatch with a file filled with the CIDR IPs that I want to block? Something like this? SecRule REMOTE_ADDR "@ipMatch IPs-blacklist.txt <http://10.0.0.0/16>" "phase:1,id:1,block,msg:' Blocked request due to source IP'" Right now I am using my rule: SecRule REMOTE_ADDR "!@pmFromFile IPs-whitelist.txt" \ "chain,deny,nolog,id:199,rev:2,msg:'IP Match: IP is on My IPs Blacklist',severity:'3'" SecRule REMOTE_ADDR "@pmFromFile IPs-blacklist.txt" But I need to make it more flexible, so I can use CIDRs and that will be great. Regards, Sergio On Tue, Aug 27, 2013 at 1:28 PM, Josh Amishav-Zlatin <ja...@ow...>wrote: > On Tue, Aug 27, 2013 at 10:14 PM, Sergio <se...@gm...> wrote: > >> Hi all, >> I have a doubt, Does the REMOTE_ADDR can use CIDR notation or is it only >> for exact matches as the example in the reference manual? >> >> Example: >> SecRule REMOTE_ADDR "@ipMatch 192.168.1.101" "id:35" >> >> I will like to use a rule that can block a range of /16's IPs. >> >> > Hi Sergio, > > The REMOTE_ADDR variable simply holds the remote address of the client. > The ipMatch operator does support CIDR notation. For example the following > rule blocks a /16 address range: > > SecRule REMOTE_ADDR "@ipMatch 10.0.0.0/16" > "phase:1,id:1,block,msg:'Blocked request due to source IP'" > > -- > - Josh > > Thanks in advace. >> >> Regards, >> >> Sergio >> >> >> ------------------------------------------------------------------------------ >> Learn the latest--Visual Studio 2012, SharePoint 2013, SQL 2012, more! >> Discover the easy way to master current and previous Microsoft >> technologies >> and advance your career. Get an incredible 1,500+ hours of step-by-step >> tutorial videos with LearnDevNow. Subscribe today and save! >> >> http://pubads.g.doubleclick.net/gampad/clk?id=58040911&iu=/4140/ostg.clktrk >> _______________________________________________ >> mod-security-users mailing list >> mod...@li... >> https://lists.sourceforge.net/lists/listinfo/mod-security-users >> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >> http://www.modsecurity.org/projects/commercial/rules/ >> http://www.modsecurity.org/projects/commercial/support/ >> >> > > > ------------------------------------------------------------------------------ > Learn the latest--Visual Studio 2012, SharePoint 2013, SQL 2012, more! > Discover the easy way to master current and previous Microsoft technologies > and advance your career. Get an incredible 1,500+ hours of step-by-step > tutorial videos with LearnDevNow. Subscribe today and save! > http://pubads.g.doubleclick.net/gampad/clk?id=58040911&iu=/4140/ostg.clktrk > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ > > |
|
From: Ryan B. <RBa...@tr...> - 2013-08-28 00:06:49
|
From: Sergio <se...@gm...<mailto:se...@gm...>> Reply-To: "mod...@li...<mailto:mod...@li...>" <mod...@li...<mailto:mod...@li...>> Date: Tuesday, August 27, 2013 8:02 PM To: "mod...@li...<mailto:mod...@li...>" <mod...@li...<mailto:mod...@li...>> Subject: Re: [mod-security-users] Does REMOTE_ADDR directive can handle CIDR notation? Thank you, Josh! One more question, is it possible to check the @ipMatch with a file filled with the CIDR IPs that I want to block? https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#wiki-ipMatchFromFile -Ryan Something like this? SecRule REMOTE_ADDR "@ipMatch IPs-blacklist.txt<http://10.0.0.0/16>" "phase:1,id:1,block,msg:' Blocked request due to source IP'" Right now I am using my rule: SecRule REMOTE_ADDR "!@pmFromFile IPs-whitelist.txt" \ "chain,deny,nolog,id:199,rev:2,msg:'IP Match: IP is on My IPs Blacklist',severity:'3'" SecRule REMOTE_ADDR "@pmFromFile IPs-blacklist.txt" But I need to make it more flexible, so I can use CIDRs and that will be great. Regards, Sergio On Tue, Aug 27, 2013 at 1:28 PM, Josh Amishav-Zlatin <ja...@ow...<mailto:ja...@ow...>> wrote: On Tue, Aug 27, 2013 at 10:14 PM, Sergio <se...@gm...<mailto:se...@gm...>> wrote: Hi all, I have a doubt, Does the REMOTE_ADDR can use CIDR notation or is it only for exact matches as the example in the reference manual? Example: SecRule REMOTE_ADDR "@ipMatch 192.168.1.101" "id:35" I will like to use a rule that can block a range of /16's IPs. Hi Sergio, The REMOTE_ADDR variable simply holds the remote address of the client. The ipMatch operator does support CIDR notation. For example the following rule blocks a /16 address range: SecRule REMOTE_ADDR "@ipMatch 10.0.0.0/16<http://10.0.0.0/16>" "phase:1,id:1,block,msg:'Blocked request due to source IP'" -- - Josh Thanks in advace. Regards, Sergio ------------------------------------------------------------------------------ Learn the latest--Visual Studio 2012, SharePoint 2013, SQL 2012, more! Discover the easy way to master current and previous Microsoft technologies and advance your career. Get an incredible 1,500+ hours of step-by-step tutorial videos with LearnDevNow. Subscribe today and save! http://pubads.g.doubleclick.net/gampad/clk?id=58040911&iu=/4140/ostg.clktrk _______________________________________________ mod-security-users mailing list mod...@li...<mailto:mod...@li...> https://lists.sourceforge.net/lists/listinfo/mod-security-users Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: http://www.modsecurity.org/projects/commercial/rules/ http://www.modsecurity.org/projects/commercial/support/ ------------------------------------------------------------------------------ Learn the latest--Visual Studio 2012, SharePoint 2013, SQL 2012, more! Discover the easy way to master current and previous Microsoft technologies and advance your career. Get an incredible 1,500+ hours of step-by-step tutorial videos with LearnDevNow. Subscribe today and save! http://pubads.g.doubleclick.net/gampad/clk?id=58040911&iu=/4140/ostg.clktrk _______________________________________________ mod-security-users mailing list mod...@li...<mailto:mod...@li...> https://lists.sourceforge.net/lists/listinfo/mod-security-users Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: http://www.modsecurity.org/projects/commercial/rules/ http://www.modsecurity.org/projects/commercial/support/ ------------------------------------------------------------------------------ Learn the latest--Visual Studio 2012, SharePoint 2013, SQL 2012, more! Discover the easy way to master current and previous Microsoft technologies and advance your career. Get an incredible 1,500+ hours of step-by-step tutorial videos with LearnDevNow. Subscribe today and save! http://pubads.g.doubleclick.net/gampad/clk?id=58040911&iu=/4140/ostg.clktrk_______________________________________________ mod-security-users mailing list mod...@li...<mailto:mod...@li...> https://lists.sourceforge.net/lists/listinfo/mod-security-users Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: http://www.modsecurity.org/projects/commercial/rules/ http://www.modsecurity.org/projects/commercial/support/ ________________________________ This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. |
|
From: Sergio <se...@gm...> - 2013-08-28 00:19:18
|
GREAT !!!! Thank you, Ryan. On Tue, Aug 27, 2013 at 6:06 PM, Ryan Barnett <RBa...@tr...>wrote: > > From: Sergio <se...@gm...> > Reply-To: "mod...@li..." < > mod...@li...> > Date: Tuesday, August 27, 2013 8:02 PM > To: "mod...@li..." < > mod...@li...> > Subject: Re: [mod-security-users] Does REMOTE_ADDR directive can handle > CIDR notation? > > Thank you, Josh! > > One more question, is it possible to check the @ipMatch with a file > filled with the CIDR IPs that I want to block? > > > > https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#wiki-ipMatchFromFile > > -Ryan > > > Something like this? > > SecRule REMOTE_ADDR "@ipMatch IPs-blacklist.txt <http://10.0.0.0/16>" > "phase:1,id:1,block,msg:' > Blocked request due to source IP'" > > Right now I am using my rule: > SecRule REMOTE_ADDR "!@pmFromFile IPs-whitelist.txt" \ > "chain,deny,nolog,id:199,rev:2,msg:'IP Match: IP is on My IPs > Blacklist',severity:'3'" > SecRule REMOTE_ADDR "@pmFromFile IPs-blacklist.txt" > > But I need to make it more flexible, so I can use CIDRs and that will be > great. > > Regards, > > Sergio > > > On Tue, Aug 27, 2013 at 1:28 PM, Josh Amishav-Zlatin <ja...@ow...>wrote: > >> On Tue, Aug 27, 2013 at 10:14 PM, Sergio <se...@gm...> wrote: >> >>> Hi all, >>> I have a doubt, Does the REMOTE_ADDR can use CIDR notation or is it only >>> for exact matches as the example in the reference manual? >>> >>> Example: >>> SecRule REMOTE_ADDR "@ipMatch 192.168.1.101" "id:35" >>> >>> I will like to use a rule that can block a range of /16's IPs. >>> >>> >> Hi Sergio, >> >> The REMOTE_ADDR variable simply holds the remote address of the client. >> The ipMatch operator does support CIDR notation. For example the following >> rule blocks a /16 address range: >> >> SecRule REMOTE_ADDR "@ipMatch 10.0.0.0/16" >> "phase:1,id:1,block,msg:'Blocked request due to source IP'" >> >> -- >> - Josh >> >> Thanks in advace. >>> >>> Regards, >>> >>> Sergio >>> >>> ------------------------------------------------------------------------------ >>> Learn the latest--Visual Studio 2012, SharePoint 2013, SQL 2012, more! >>> Discover the easy way to master current and previous Microsoft >>> technologies >>> and advance your career. Get an incredible 1,500+ hours of step-by-step >>> tutorial videos with LearnDevNow. Subscribe today and save! >>> >>> http://pubads.g.doubleclick.net/gampad/clk?id=58040911&iu=/4140/ostg.clktrk >>> _______________________________________________ >>> mod-security-users mailing list >>> mod...@li... >>> https://lists.sourceforge.net/lists/listinfo/mod-security-users >>> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >>> http://www.modsecurity.org/projects/commercial/rules/ >>> http://www.modsecurity.org/projects/commercial/support/ >>> >>> >> >> >> ------------------------------------------------------------------------------ >> Learn the latest--Visual Studio 2012, SharePoint 2013, SQL 2012, more! >> Discover the easy way to master current and previous Microsoft >> technologies >> and advance your career. Get an incredible 1,500+ hours of step-by-step >> tutorial videos with LearnDevNow. Subscribe today and save! >> >> http://pubads.g.doubleclick.net/gampad/clk?id=58040911&iu=/4140/ostg.clktrk >> _______________________________________________ >> mod-security-users mailing list >> mod...@li... >> https://lists.sourceforge.net/lists/listinfo/mod-security-users >> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >> http://www.modsecurity.org/projects/commercial/rules/ >> http://www.modsecurity.org/projects/commercial/support/ >> >> > ------------------------------------------------------------------------------ > Learn the latest--Visual Studio 2012, SharePoint 2013, SQL 2012, more! > Discover the easy way to master current and previous Microsoft technologies > and advance your career. Get an incredible 1,500+ hours of step-by-step > tutorial videos with LearnDevNow. Subscribe today and save! > http://pubads.g.doubleclick.net/gampad/clk?id=58040911&iu=/4140/ostg.clktrk_______________________________________________mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-usersCommercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ > > > ------------------------------ > > This transmission may contain information that is privileged, > confidential, and/or exempt from disclosure under applicable law. If you > are not the intended recipient, you are hereby notified that any > disclosure, copying, distribution, or use of the information contained > herein (including any reliance thereon) is strictly prohibited. If you > received this transmission in error, please immediately contact the sender > and destroy the material in its entirety, whether in electronic or hard > copy format. > > > ------------------------------------------------------------------------------ > Learn the latest--Visual Studio 2012, SharePoint 2013, SQL 2012, more! > Discover the easy way to master current and previous Microsoft technologies > and advance your career. Get an incredible 1,500+ hours of step-by-step > tutorial videos with LearnDevNow. Subscribe today and save! > http://pubads.g.doubleclick.net/gampad/clk?id=58040911&iu=/4140/ostg.clktrk > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ > > |
