[Modsecurity] Rules for rulsets

Chris H. fbsd at 1command.com
Fri Jun 23 21:31:51 EDT 2006 

Greetings, and thank you very much for your reply.
Message recieved clearly and understood. Thank you _very_
much for taking the time to respond.

--Chris

Quoting Michael Shinn:

> On Fri, 2006-06-23 at 17:31 -0700, Chris H. wrote:
>> or is that not enough. If I'm not mistaken, it _needs_ to be correctly
>> expressed as:
>>
>> SecFilterSelective "REMOTE_IP" "(^XX.XX.XXX.XX|YY.YYY.YY.YYY|ZZZ.ZZ.ZZ.ZZ$)"
>> (note: the caret and dollar sign, which you chose to omit in your example).
>>
>> or must it be expressed as:
>>
>> SecFilterSelective "REMOTE_IP"
>> "(^XX\.XX\.XXX\.XX|YY\.YYY\.YY\.YYY|ZZZ\.ZZ\.ZZ\.ZZ$)"
>>
>> As you can see, all three of my examples - well, maybe just the last two,
>> are expressed in RegExp. Can I /correctly/ assume that any of them will
>> work correctly?
>
> Almost there.  Technically speaking, you don't _have_ to bound the IP
> address because modsec should only return four sets of integers, but it
> doesn't hurt to bound it.  I don't, but like I said, it won't hurt and
> its probably not a bad idea.
>
> Second, your bounds need to be outside the parentheses.  The parentheses
> are a set, so you want to set the start and end of the line outside of
> the set, otherwise you're just say for the first element of your set,
> start at the beginning of the line, for the second start anywhere, and
> for the last element, bound the end of the line.
>
> Finally, you should escape the dots.  I will tell you that in your
> example not escaping them will work - in that the dots will probably
> always line up with your regexp dots.  In practice, with IP addresses,
> and REMOTE_ADDR, you're probably OK - but strictly speaking as this is a
> regular expression you need to follow proper regular expression syntax
> to get the behavior you want - so always escape your dots if you want
> them to *be* dots.  Plus, it never hurts to be a little paranoid with
> regexps, you never know what you might get otherwise.  :-)
>
> SecFilterSelective REMOTE_ADDR "^(XX\.XX\.XXX\.XX|YY\.YYY\.YY\.YYY|ZZZ
> \.ZZ\.ZZ\.ZZ)$"
>
>>
>> Thank you again for your reply.
>
> Sure, my pleasure.
>
> --
> Michael T. Shinn                                    KeyID:0xDAE2EC86
> Key Fingerprint:  1884 E657 A6DF DF1B BFB9 E2C5 DCC6 5297 DAE2 EC86
> http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xDAE2EC86
>
> Got Root?  http://www.gotroot.com
> modsecurity rules: http://www.modsecurityrules.com
> Troubleshooting Firewalls:  http://troubleshootingfirewalls.com
>
>



-- 
panic: kernel trap (ignored)



-----------------------------------------------------------------
FreeBSD 5.4-RELEASE-p12 (SMP - 900x2) Tue Mar 7 19:37:23 PST 2006
/////////////////////////////////////////////////////////////////

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: PGP Digital Signature
Url : http://lists.gotroot.com/pipermail/modsecurity/attachments/20060623/50252f50/attachment.bin

More information about the Modsecurity mailing list