[Owasp-modsecurity-core-rule-set] Paranoia Mode: Forgotten controversial candidate 900050 / 910100 (Client IP is from a HIGH Risk Country Location)

Christian Folini christian.folini at netnea.com
Sat Feb 13 05:30:26 UTC 2016


Hi there,

It seems I overlooked this candidate, where Franziska said she is unsure
whether we should blog certain countries in a default installation or
not.

The rule does:
  SecRule GEO:COUNTRY_CODE "@pm %{tx.high_risk_country_codes}" 

With tx.high_risk_country_codes being set to 
"UA ID YU LT EG RO BG TR RU PK MY CN"
in modsecurity_crs_10_setup.conf.example.

Depending on your location, requests from the given set of
countried may be desired and not potential attacks. So I think
Franziska has a point.

One resolution would be to leave the rule where it is, but comment
out the definition of the variable in modsecurity_crs_10_setup.conf.example
and provide multiple default variants in the comments.
That could also be performed in combination with the move to 
the paranoia mode.

Opinions?

Christian


-- 
The problem is, if you're not a hacker, 
you can't tell who the good hackers are.
--- Paul Graham


More information about the Owasp-modsecurity-core-rule-set mailing list