[Modsecurity] Rules for rulsets

Michael Shinn mike at gotroot.com
Fri Jun 23 21:38:28 EDT 2006 

My pleasure.

On Fri, 2006-06-23 at 18:31 -0700, Chris H. wrote:
> Greetings, and thank you very much for your reply.
> Message recieved clearly and understood. Thank you _very_
> much for taking the time to respond.
> 
> --Chris
> 
> Quoting Michael Shinn:
> 
> > On Fri, 2006-06-23 at 17:31 -0700, Chris H. wrote:
> >> or is that not enough. If I'm not mistaken, it _needs_ to be correctly
> >> expressed as:
> >>
> >> SecFilterSelective "REMOTE_IP" "(^XX.XX.XXX.XX|YY.YYY.YY.YYY|ZZZ.ZZ.ZZ.ZZ$)"
> >> (note: the caret and dollar sign, which you chose to omit in your example).
> >>
> >> or must it be expressed as:
> >>
> >> SecFilterSelective "REMOTE_IP"
> >> "(^XX\.XX\.XXX\.XX|YY\.YYY\.YY\.YYY|ZZZ\.ZZ\.ZZ\.ZZ$)"
> >>
> >> As you can see, all three of my examples - well, maybe just the last two,
> >> are expressed in RegExp. Can I /correctly/ assume that any of them will
> >> work correctly?
> >
> > Almost there.  Technically speaking, you don't _have_ to bound the IP
> > address because modsec should only return four sets of integers, but it
> > doesn't hurt to bound it.  I don't, but like I said, it won't hurt and
> > its probably not a bad idea.
> >
> > Second, your bounds need to be outside the parentheses.  The parentheses
> > are a set, so you want to set the start and end of the line outside of
> > the set, otherwise you're just say for the first element of your set,
> > start at the beginning of the line, for the second start anywhere, and
> > for the last element, bound the end of the line.
> >
> > Finally, you should escape the dots.  I will tell you that in your
> > example not escaping them will work - in that the dots will probably
> > always line up with your regexp dots.  In practice, with IP addresses,
> > and REMOTE_ADDR, you're probably OK - but strictly speaking as this is a
> > regular expression you need to follow proper regular expression syntax
> > to get the behavior you want - so always escape your dots if you want
> > them to *be* dots.  Plus, it never hurts to be a little paranoid with
> > regexps, you never know what you might get otherwise.  :-)
> >
> > SecFilterSelective REMOTE_ADDR "^(XX\.XX\.XXX\.XX|YY\.YYY\.YY\.YYY|ZZZ
> > \.ZZ\.ZZ\.ZZ)$"
> >
> >>
> >> Thank you again for your reply.
> >
> > Sure, my pleasure.
> >
> > --
> > Michael T. Shinn                                    KeyID:0xDAE2EC86
> > Key Fingerprint:  1884 E657 A6DF DF1B BFB9 E2C5 DCC6 5297 DAE2 EC86
> > http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xDAE2EC86
> >
> > Got Root?  http://www.gotroot.com
> > modsecurity rules: http://www.modsecurityrules.com
> > Troubleshooting Firewalls:  http://troubleshootingfirewalls.com
> >
> >
> 
> 
> 
-- 
Michael T. Shinn                                    KeyID:0xDAE2EC86
Key Fingerprint:  1884 E657 A6DF DF1B BFB9 E2C5 DCC6 5297 DAE2 EC86
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xDAE2EC86
  
Got Root?  http://www.gotroot.com
modsecurity rules: http://www.modsecurityrules.com
Troubleshooting Firewalls:  http://troubleshootingfirewalls.com

More information about the Modsecurity mailing list