[Modsecurity] Rules for rulsets

Chris H. fbsd at 1command.com
Fri Jun 23 20:31:51 EDT 2006 

Hello, and thank you for your response...
Quoting Michael Shinn:

> modsec rules are expressed as regular expressions.
Indeed. This is stated in the manual.
> For example, a list
> of OR cases would be (IP1|IP2|ip3|etc.), or you could use a range
> 1.2.3.[0-255].
Correct, your example(s) are expressed as regular expressions. Given
your (somewhat terse) example(s), I am still left with the question
as to what mod_security considers /correct/ syntax. Given the following
example(s), is it enough to use:

SecFilterSelective "REMOTE_IP" "(XX.XX.XXX.XX|YY.YYY.YY.YYY|ZZZ.ZZ.ZZ.ZZ)"

or is that not enough. If I'm not mistaken, it _needs_ to be correctly
expressed as:

SecFilterSelective "REMOTE_IP" "(^XX.XX.XXX.XX|YY.YYY.YY.YYY|ZZZ.ZZ.ZZ.ZZ$)"

(note: the caret and dollar sign, which you chose to omit in your example).

or must it be expressed as:

SecFilterSelective "REMOTE_IP" 
"(^XX\.XX\.XXX\.XX|YY\.YYY\.YY\.YYY|ZZZ\.ZZ\.ZZ\.ZZ$)"

As you can see, all three of my examples - well, maybe just the last two,
are expressed in RegExp. Can I /correctly/ assume that any of them will
work correctly?

Thank you again for your reply.

--Chris



> And there are many other means by which you could do
> this, as long as its a valid regular expression it will work.
>
> On Fri, 2006-06-23 at 01:33 -0700, Chris H. wrote:
>> Greetings,
>> I have a question regarding the required syntax for rulesets.
>> I have been previously been using deny, allow rules for rouge
>> IP's and currently have a list of approximately 500 current and
>> verified offenders. With the deny,allow syntax rules, it is possible
>> to simply string them in a space seperated list with double quotes
>> on either end - eg; "xx.yyy.zz.zzz xxx.xx.xxx.xxx yy.yy.yyyy.yy"
>> Is it possible to use a similar approach with rulesets in
>> mod_security? I can't imagine having to convert my current set
>> to:
>>
>> SecFilterSelective "REMOTE_IP" "XX.XX.XXX.XX"
>>
>> 500 (and more) times. Can they be seperated by pipe, colon, or
>> space? As in:
>>
>> SecFilterSelective "REMOTE_IP" "XX.XX.XXX.XX|YY.YYY.YY.YYY|ZZZ.ZZ.ZZ.ZZ"
>> SecFilterSelective "REMOTE_IP" "XX.XX.XXX.XX:YY.YYY.YY.YYY:ZZZ.ZZ.ZZ.ZZ"
>> SecFilterSelective "REMOTE_IP" "XX.XX.XXX.XX YY.YYY.YY.YYY ZZZ.ZZ.ZZ.ZZ"
>>
>> or similar?
>>
>> Thank you for all your time and consideration.
>>
>> --Chris H.
>>
>> _______________________________________________
>> Modsecurity mailing list
>> Modsecurity at gotroot.com
>> http://lists.gotroot.com/mailman/listinfo/modsecurity
> --
> Michael T. Shinn                                    KeyID:0xDAE2EC86
> Key Fingerprint:  1884 E657 A6DF DF1B BFB9 E2C5 DCC6 5297 DAE2 EC86
> http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xDAE2EC86
>
> Got Root?  http://www.gotroot.com
> modsecurity rules: http://www.modsecurityrules.com
> Troubleshooting Firewalls:  http://troubleshootingfirewalls.com
>
>



-- 
panic: kernel trap (ignored)



-----------------------------------------------------------------
FreeBSD 5.4-RELEASE-p12 (SMP - 900x2) Tue Mar 7 19:37:23 PST 2006
/////////////////////////////////////////////////////////////////

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: PGP Digital Signature
Url : http://lists.gotroot.com/pipermail/modsecurity/attachments/20060623/c5ca986b/attachment.bin

More information about the Modsecurity mailing list