[Owasp-modsecurity-core-rule-set] Regarding core rule set of Mod Security
Brian.Rectanus at breach.com
Tue Jan 12 11:34:26 EST 2010
SAJAL BHATIA wrote:
> I have a few questions related to core rule set of Mod Security
> 1. How does it performs the searching of IPs which it is required to allow or block?
Not sure what you mean here. You want to pass it a list of IPs to
block? If so probably regex is the only way:
SecRule REMOTE_ADDR "^(?:1\.2\.3\.4|5\.6\.7\.8)$" \
But you could be smater about the regex for IPs in the same subnet:
SecRule REMOTE_ADDR "^(?:1\.2\.3\.(?:4|5|6)|5\.6\.7\.(?:8|9|10))$" \
@pm and @pmFromFile will not work as the match is not bounded, so
"220.127.116.11" will match for "18.104.22.168", etc.
On the list of features to build is an @ip operator to do this better,
but really it is faster to do this from an external firewall.
Another option is @rbl.
And yet another option if you are a developer is to build your own
custom operator with the API.
> 2. Can we give externally a list of IPs to the core rule set for it to block or allow access?
> 3. Is it possible to make Mod Security refresh its white list or black list of IPs in real time?
You can is you build your own RBL and use the @rbl operator.
> 4. How can we update our customized rule set dynamically? Does it require the apache server to restart?
It requires a reload (ie "graceful") as it is part of the Apache config.
More information about the Owasp-modsecurity-core-rule-set