[Modsecurity] Rules for rulsets

Michael Shinn mike at gotroot.com
Fri Jun 23 21:21:07 EDT 2006 

On Fri, 2006-06-23 at 17:31 -0700, Chris H. wrote:
> or is that not enough. If I'm not mistaken, it _needs_ to be correctly
> expressed as:
> 
> SecFilterSelective "REMOTE_IP" "(^XX.XX.XXX.XX|YY.YYY.YY.YYY|ZZZ.ZZ.ZZ.ZZ$)"
> (note: the caret and dollar sign, which you chose to omit in your example).
> 
> or must it be expressed as:
> 
> SecFilterSelective "REMOTE_IP" 
> "(^XX\.XX\.XXX\.XX|YY\.YYY\.YY\.YYY|ZZZ\.ZZ\.ZZ\.ZZ$)"
> 
> As you can see, all three of my examples - well, maybe just the last two,
> are expressed in RegExp. Can I /correctly/ assume that any of them will
> work correctly?

Almost there.  Technically speaking, you don't _have_ to bound the IP
address because modsec should only return four sets of integers, but it
doesn't hurt to bound it.  I don't, but like I said, it won't hurt and
its probably not a bad idea.

Second, your bounds need to be outside the parentheses.  The parentheses
are a set, so you want to set the start and end of the line outside of
the set, otherwise you're just say for the first element of your set,
start at the beginning of the line, for the second start anywhere, and
for the last element, bound the end of the line.  

Finally, you should escape the dots.  I will tell you that in your
example not escaping them will work - in that the dots will probably
always line up with your regexp dots.  In practice, with IP addresses,
and REMOTE_ADDR, you're probably OK - but strictly speaking as this is a
regular expression you need to follow proper regular expression syntax
to get the behavior you want - so always escape your dots if you want
them to *be* dots.  Plus, it never hurts to be a little paranoid with
regexps, you never know what you might get otherwise.  :-)

SecFilterSelective REMOTE_ADDR "^(XX\.XX\.XXX\.XX|YY\.YYY\.YY\.YYY|ZZZ
\.ZZ\.ZZ\.ZZ)$"

> 
> Thank you again for your reply.

Sure, my pleasure.

-- 
Michael T. Shinn                                    KeyID:0xDAE2EC86
Key Fingerprint:  1884 E657 A6DF DF1B BFB9 E2C5 DCC6 5297 DAE2 EC86
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xDAE2EC86
  
Got Root?  http://www.gotroot.com
modsecurity rules: http://www.modsecurityrules.com
Troubleshooting Firewalls:  http://troubleshootingfirewalls.com

More information about the Modsecurity mailing list