[Modsecurity] Rules for rulsets

[Brian Rectanus]

On 6/23/06, Chris H. <fbsd at 1command.com> wrote:
> Hello,
> I also wondered a little about beginning and ending IP's with 2,
> as well as 1 IP. Given your experience, can I assume that since I
> begin and end this list with 3 that those in the middle won't run
> into trouble eg; matching additional numbers at either end of their range?
> Here's my current list:
>
> SecFilterSelective REMOTE_ADDR \
> "^(194.72.238.10|194.72.238.13|194.72.238.14|194.72.238.15|194.72.238.16|194.72.238.19|194.72.238.62|194.72.238.61|83.138.189.100|83.138.190.203|194.72.238.11|69.20.95.4|65.61.188.4|216.145.17.190|66.249.4.251|64.246.161.26|209.59.193.17|64.246.165.245|69.28.247.250|61.54.16.6|164.125.118.29|66.34.236.1|219.84.169.236|62.29.136.20|81.176.76.47|66.49.214.139|12.215.94.57|80.239.107.45|194.72.238.62|82.135.33.98|82.127.23.55|219.64.36.34|69.60.110.111|202.159.115.138|221.217.184.131|60.239.12.98|222.107.35.143|82.83.212.125|199.227.64.94|203.250.148.13|84.97.214.143|69.120.1.128|210.224.164.36|162.129.37.180|80.53.80.182|80.81.122.177|83.16.187.6|82.134.230.32|62.40.150.221|219.83.54.52|193.92.9.19|202.84.115.11|209.121.67.172|124.0.225.70|62.40.150.221|219.134.212.207|222.51.213.172|220.162.129.197|140.125.20.107|202.58.85.6|203.200.93.155|194.68.63.142|62.20.220.70|66.77.128.77|195.205.178.230|208.138.21.64|200.27.187.52|66.224.214.11|218.11.207.244|210.87.251.106|213.114.21!
>  .63|200.61.183.237|201.12.106.2|62.178.210.9|204.83.56.144|69.95.136.131|84.58.232.52|207.90.211.54|70.168.74.193|69.17.157.154|210.3.4.193|68.87.72.169|66.161.95.147|217.58.71.101|69.94.80.15|172.192.99.104|147.202.43.153|216.7.168.224|83.14.11.178|81.7.76.61|212.100.254.113|206.71.166.2|85.14.216.209|210.253.120.121|81.91.225.142|211.115.70.163|59.49.233.25|69.13.31.57|129.8.238.39|211.100.33.61|211.115.70.163|211.100.33.61|61.183.15.41|132.248.200.16|200.46.107.131|61.97.32.12|69.17.157.154|70.168.74.193|207.90.211.54|220.170.53.194|220.123.171.125|61.60.21.226|61.135.159.152|61.135.170.153|81.223.25.117|69.19.225.155|61.134.32.18|61.185.208.83|59.124.127.103|164.77.238.114|66.34.240.128|211.214.161.239|61.183.15.41|211.100.33.61|85.112.145.11|220.64.88.9|24.128.223.238|66.77.128.77|67.50.47.52|62.116.40.112|150.101.121.80|62.116.40.112|200.122.153.10|68.87.76.152|69.41.54.49|12.193.208.2|212.68.193.242|196.40.43.78|199.170.103.17|218.189.215.178|80.53.0.29|201.243.180.1!
>  28|60.236.29.243|203.177.167.195|201.45.178.36|61.178.21.179|2!
>  16.102.2
> 12.115|131.220.92.80|65.40.8.141|220.181.9.119|210.82.46.66|207.210.86.105|202.83.32.124|66.81.231.52|66.17.15.154|38.99.203.110|201.18.140.207|62.252.64.30|203.124.171.20|38.99.203.110|61.97.32.12|192.91.171.36|219.117.251.138|72.18.195.161|38.99.203.110|212.36.65.144|72.18.195.161|68.185.24.2|220.227.125.124|220.194.57.112|216.235.153.4|203.125.140.52|82.231.38.27|61.135.170.159|83.138.146.85|64.91.231.91|202.138.112.252|209.97.203.36|64.92.201.114)$"
>
> Is it safe?
>
> Thank you for your consideration.
>
> --Chris
>

As long as you use ^ and $ and \. there cannot be any additional
matching by pre/appending digits.

I don't think it is any faster (and may be slower) to used a large OR
list like that.  In any case, I would split them up into single rules,
each blocked with ^ and $ just because it is more maintainable and
less prone to miss some small error in the RE.  I *do* think that
using the ^ and $ *is* faster than without, though, because often you
can short circuit the match on the first character instead of trying
to shift the RE around for an internal match.

If you want better speed, and don't care for maintenance, then try
something like this for each subnet (untested):

SecFilterSelective REMOTE_ADDR "^194\.72\.238\." chain
SecFilterSelective REMOTE_ADDR "(?:1[034569]|6[12])$"

Which would (more efficiently?) match all of these:

194.72.238.10
194.72.238.13
194.72.238.14
194.72.238.15
194.72.238.16
194.72.238.19
194.72.238.61
194.72.238.62

But, is *much* less readable then 8 separate rules and going to be
more prone to errors.  As Mike wrote, RBLs are the way to go for large
lists, though.

-B