[Owasp-modsecurity-core-rule-set] Regarding core rule set of Mod Security

Ryan Barnett ryan.barnett at breach.com
Tue Jan 12 11:43:59 EST 2010


Couldn't you use @pmFromFile for a list of IPs as it will keep whitespace.  So, the user 
would need to make sure that they have leading/trailing spaces around each IP on each line 
in the file though.

Would that not work?

Ryan Barnett
Director of Application Security Research
Phone: (703) 794-2248
Cell: (703) 269-8998
Breach Security, Inc.
2141 Palomar Airport Road, Suite 200
Carlsbad, CA 92011
www.breach.com

On Tuesday 12 January 2010 11:34:26 am Brian Rectanus wrote:
> SAJAL BHATIA wrote:
> > Hi,
> >
> > I have a few  questions related to core rule set of Mod Security
> >
> > 1. How does it performs the searching of IPs which it is required to
> > allow or block?
> 
> Not sure what you mean here.  You want to pass it a list of IPs to
> block?  If so probably regex is the only way:
> 
> SecRule REMOTE_ADDR "^(?:1\.2\.3\.4|5\.6\.7\.8)$" \
>                     "phase:1,deny"
> 
> But you could be smater about the regex for IPs in the same subnet:
> 
> SecRule REMOTE_ADDR "^(?:1\.2\.3\.(?:4|5|6)|5\.6\.7\.(?:8|9|10))$" \
>                     "phase:1,deny"
> 
> @pm and @pmFromFile will not work as the match is not bounded, so
> "1.2.3.4" will match for "101.2.3.4", etc.
> 
> On the list of features to build is an @ip operator to do this better,
> but really it is faster to do this from an external firewall.
> 
> Another option is @rbl.
> 
> And yet another option if you are a developer is to build your own
> custom operator with the API.
> 
> > 2. Can we give externally a list of IPs to the core rule set for it to
> > block or allow access? 3. Is it possible to make Mod Security refresh its
> > white list or black list of IPs in real time?
> 
> You can is you build your own RBL and use the @rbl operator.
> 
> > 4. How can we update our customized rule set dynamically? Does it require
> > the apache server to restart?
> 
> It requires a reload (ie "graceful") as it is part of the Apache config.
> 
> -B
> 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-modsecurity-core-rule-set/attachments/20100112/95824e38/attachment.html 


More information about the Owasp-modsecurity-core-rule-set mailing list