[Owasp-modsecurity-core-rule-set] Regarding core rule set of Mod Security

Brian Rectanus Brian.Rectanus at breach.com
Tue Jan 12 11:34:26 EST 2010

> Hi, 
> I have a few  questions related to core rule set of Mod Security
> 1. How does it performs the searching of IPs which it is required to allow or block? 

Not sure what you mean here.  You want to pass it a list of IPs to
block?  If so probably regex is the only way:

SecRule REMOTE_ADDR "^(?:1\.2\.3\.4|5\.6\.7\.8)$" \

But you could be smater about the regex for IPs in the same subnet:

SecRule REMOTE_ADDR "^(?:1\.2\.3\.(?:4|5|6)|5\.6\.7\.(?:8|9|10))$" \

@pm and @pmFromFile will not work as the match is not bounded, so
"" will match for "", etc.

On the list of features to build is an @ip operator to do this better,
but really it is faster to do this from an external firewall.

Another option is @rbl.

And yet another option if you are a developer is to build your own
custom operator with the API.

> 2. Can we give externally a list of IPs to the core rule set for it to block or allow access?
> 3. Is it possible to make Mod Security refresh its white list or black list of IPs in real time?

You can is you build your own RBL and use the @rbl operator.

> 4. How can we update our customized rule set dynamically? Does it require the apache server to restart? 

It requires a reload (ie "graceful") as it is part of the Apache config.


Brian Rectanus
Breach Security

More information about the Owasp-modsecurity-core-rule-set mailing list