[Owasp-modsecurity-core-rule-set] Regarding core rule set of Mod Security

Brian Rectanus Brian.Rectanus at breach.com
Tue Jan 12 11:34:26 EST 2010


SAJAL BHATIA wrote:
> Hi, 
> 
> I have a few  questions related to core rule set of Mod Security
> 
> 1. How does it performs the searching of IPs which it is required to allow or block? 

Not sure what you mean here.  You want to pass it a list of IPs to
block?  If so probably regex is the only way:

SecRule REMOTE_ADDR "^(?:1\.2\.3\.4|5\.6\.7\.8)$" \
                    "phase:1,deny"

But you could be smater about the regex for IPs in the same subnet:

SecRule REMOTE_ADDR "^(?:1\.2\.3\.(?:4|5|6)|5\.6\.7\.(?:8|9|10))$" \
                    "phase:1,deny"

@pm and @pmFromFile will not work as the match is not bounded, so
"1.2.3.4" will match for "101.2.3.4", etc.

On the list of features to build is an @ip operator to do this better,
but really it is faster to do this from an external firewall.

Another option is @rbl.

And yet another option if you are a developer is to build your own
custom operator with the API.

> 2. Can we give externally a list of IPs to the core rule set for it to block or allow access?
> 3. Is it possible to make Mod Security refresh its white list or black list of IPs in real time?

You can is you build your own RBL and use the @rbl operator.

> 4. How can we update our customized rule set dynamically? Does it require the apache server to restart? 

It requires a reload (ie "graceful") as it is part of the Apache config.

-B

-- 
Brian Rectanus
Breach Security


More information about the Owasp-modsecurity-core-rule-set mailing list