[Modsecurity] Rules for rulsets

Chris H. fbsd at 1command.com
Fri Jun 23 23:18:00 EDT 2006 

Hello,
I also wondered a little about beginning and ending IP's with 2,
as well as 1 IP. Given your experience, can I assume that since I
begin and end this list with 3 that those in the middle won't run
into trouble eg; matching additional numbers at either end of their range?
Here's my current list:

SecFilterSelective REMOTE_ADDR \
"^(194.72.238.10|194.72.238.13|194.72.238.14|194.72.238.15|194.72.238.16|194.72.238.19|194.72.238.62|194.72.238.61|83.138.189.100|83.138.190.203|194.72.238.11|69.20.95.4|65.61.188.4|216.145.17.190|66.249.4.251|64.246.161.26|209.59.193.17|64.246.165.245|69.28.247.250|61.54.16.6|164.125.118.29|66.34.236.1|219.84.169.236|62.29.136.20|81.176.76.47|66.49.214.139|12.215.94.57|80.239.107.45|194.72.238.62|82.135.33.98|82.127.23.55|219.64.36.34|69.60.110.111|202.159.115.138|221.217.184.131|60.239.12.98|222.107.35.143|82.83.212.125|199.227.64.94|203.250.148.13|84.97.214.143|69.120.1.128|210.224.164.36|162.129.37.180|80.53.80.182|80.81.122.177|83.16.187.6|82.134.230.32|62.40.150.221|219.83.54.52|193.92.9.19|202.84.115.11|209.121.67.172|124.0.225.70|62.40.150.221|219.134.212.207|222.51.213.172|220.162.129.197|140.125.20.107|202.58.85.6|203.200.93.155|194.68.63.142|62.20.220.70|66.77.128.77|195.205.178.230|208.138.21.64|200.27.187.52|66.224.214.11|218.11.207.244|210.87.251.106|213.114.21!
 .63|200.61.183.237|201.12.106.2|62.178.210.9|204.83.56.144|69.95.136.131|84.58.232.52|207.90.211.54|70.168.74.193|69.17.157.154|210.3.4.193|68.87.72.169|66.161.95.147|217.58.71.101|69.94.80.15|172.192.99.104|147.202.43.153|216.7.168.224|83.14.11.178|81.7.76.61|212.100.254.113|206.71.166.2|85.14.216.209|210.253.120.121|81.91.225.142|211.115.70.163|59.49.233.25|69.13.31.57|129.8.238.39|211.100.33.61|211.115.70.163|211.100.33.61|61.183.15.41|132.248.200.16|200.46.107.131|61.97.32.12|69.17.157.154|70.168.74.193|207.90.211.54|220.170.53.194|220.123.171.125|61.60.21.226|61.135.159.152|61.135.170.153|81.223.25.117|69.19.225.155|61.134.32.18|61.185.208.83|59.124.127.103|164.77.238.114|66.34.240.128|211.214.161.239|61.183.15.41|211.100.33.61|85.112.145.11|220.64.88.9|24.128.223.238|66.77.128.77|67.50.47.52|62.116.40.112|150.101.121.80|62.116.40.112|200.122.153.10|68.87.76.152|69.41.54.49|12.193.208.2|212.68.193.242|196.40.43.78|199.170.103.17|218.189.215.178|80.53.0.29|201.243.180.1!
 28|60.236.29.243|203.177.167.195|201.45.178.36|61.178.21.179|2!
 16.102.2
12.115|131.220.92.80|65.40.8.141|220.181.9.119|210.82.46.66|207.210.86.105|202.83.32.124|66.81.231.52|66.17.15.154|38.99.203.110|201.18.140.207|62.252.64.30|203.124.171.20|38.99.203.110|61.97.32.12|192.91.171.36|219.117.251.138|72.18.195.161|38.99.203.110|212.36.65.144|72.18.195.161|68.185.24.2|220.227.125.124|220.194.57.112|216.235.153.4|203.125.140.52|82.231.38.27|61.135.170.159|83.138.146.85|64.91.231.91|202.138.112.252|209.97.203.36|64.92.201.114)$"

Is it safe?

Thank you for your consideration.

--Chris

Quoting Brian Rectanus:

> [Sorry, replied only to Mike and ment it for the list...]
>
> Hi Mike,
>
> Further along these lines, there are a few mistakes (poor
> assumptions?) in the badips.conf that should be corrected.  Not all of
> the IPs need bound, but some do.  To be safe (and actually faster at
> matching given a large set like badips.conf) consider binding them
> all.  This is one of the reasons I would not use this list to do any
> blocking.
>
> Consider these which are fine:
>
> SecFilterSelective REMOTE_ADDR 195\.18\.128\.230
> SecFilterSelective REMOTE_ADDR 200\.118\.69\.30
>
> Both begin with 3 digits and a dot.  One ends w/3 digits and the other
> 2, but high enough that adding to the end is impossible (> 255).
>
> Now consider this one which is subtly incorrect:
>
> SecFilterSelective REMOTE_ADDR "64\.75\.68\.15"
>
> Why?  Because they also match these IPs:
>
> 1?64\.75\.68\.15[0-9]?
>
> So, along with blocking some poor shmoes at an IP from "Ulster County
> BOCES", you also just blocked 11 additional (legitimate?) IPs from the
> Parliment of Austrailia (http://www.aph.gov.au/) range.  Oops.
>
> So, to prevent this type of mishap, I suggest always bounding with 
> ^/$ for IPs.
>
> Later.  And keep up the great work as it is definitly appreciated.
> -B
> _______________________________________________
> Modsecurity mailing list
> Modsecurity at gotroot.com
> http://lists.gotroot.com/mailman/listinfo/modsecurity
>



-- 
panic: kernel trap (ignored)



-----------------------------------------------------------------
FreeBSD 5.4-RELEASE-p12 (SMP - 900x2) Tue Mar 7 19:37:23 PST 2006
/////////////////////////////////////////////////////////////////

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: PGP Digital Signature
Url : http://lists.gotroot.com/pipermail/modsecurity/attachments/20060623/74676750/attachment.bin

More information about the Modsecurity mailing list