Re: Filter Rules by IP Address

Move your IP rule sdown under:

SecFilterDebugLog logs/modsec_debug_log


At the very bottom of the module you have:


SecFilter "/tmp"


Thats looks be be getting you. Try moving your code down first.

-- 
Regards,

 -Chris

_______________________________________________
Christopher Murley
Network Administrator
TownNews.Com
800.293.9576

Naveen Amradi said:
> Forgot to attach file in the previous reply.
>  Thanks,
> naveen
>
>  On 10/25/05, Naveen Amradi <namradi@xxxxxxxxx> wrote:
>>
>> Chris,
>>  I have attached my conf file. WOuld you please look at it. I have
>> placed
>> the rule right below the SecFilterEngine. In that case wont that rule be
>> higher than other ones. Maybe i am sounding dumb. I am trying to read
>> the
>> book and understand slowly.
>>  I would appreciate if you can look at the conf file.
>>  Everyone on this list is so active helpful.
>>  Thanks a lot,
>> naveen
>>
>>  On 10/25/05, Christopher Murley <murley@xxxxxxxxxxxx> wrote:
>> >
>> > HI Naveen, your problem isn't with the IP rule you created. You error
>> > was:
>> >
>> > mod_security-message: Access denied with code 403. Pattern match
>> "/tmp"
>> > at
>> > THE_REQUEST
>> >
>> >
>> > The request you sent:
>> >
>> > GET /study_abroad/TMPzad38oxcyx.htm HTTP/1.1" 403 232
>> >
>> > has /TMP (lowercased) /tmp in it. You must have another rule higher in
>> > your chain thats disallowing URLS referencing /tmp.
>> >
>> > --
>> > Regards,
>> >
>> > -Chris
>> >
>> > _______________________________________________
>> > Christopher Murley
>> > Network Administrator
>> > TownNews.Com
>> > 800.293.9576
>> >
>> > Naveen Amradi said:
>> > > HI Ryan,
>> > > I appreciate your quick response and help.
>> > > I am still not able to configure it properly.
>> > > Just like u said i added
>> > >
>> > > SecFilterSelective REMOTE_HOST "^192\.168\.0\.94$" allow,pass
>> > > I tried putting it right below the SecFilterEnging and other places
>> > too.
>> > > And i am getting this error in the log file. Maybe i am missing
>> > something.
>> > >
>> > > UNIQUE_ID: xv7hbIJKVE8AAFQjVXYAAAAE
>> > > Request: 196.168.0.94 <http://196.168.0.94/> < http://196.168.0.94>
>> -
>> > - [25/Oct/2005:11:39:02
>> > > --0500] "GET /study_abroad/TMPzad38oxcyx.htm HTTP/1.1" 403 232
>> > > Handler: server-parsed
>> > > ----------------------------------------
>> > > GET /study_abroad/TMPzad38oxcyx.htm HTTP/1.1
>> > > User-Agent: Contribute
>> > > Host: www.outreach.olemiss.edu <http://www.outreach.olemiss.edu/> <
>> > http://www.outreach.olemiss.edu/>
>> > > Cookie:
>> > >
>> > phpbb2mysql_data=a%3A2%3A%7Bs%3A11%3A%22autologinid%22%3Bs%3A0%3A%22%22%3Bs%3A6%3A%22userid%22%3Bs%3A1%3A%223%22%3B%7D;
>> > > PHPSESSID=59ded4be35990378545d942f2a11c0f9
>> > > mod_security-message: Access denied with code 403. Pattern match
>> > "/tmp" at
>> > > THE_REQUEST
>> > > mod_security-action: 403
>> > >
>> > > HTTP/1.1 403 Forbidden
>> > > Content-Length: 232
>> > >
>> > > Could you help me?And Just for info i am trying to configure
>> > Macromedia
>> > > Contribute.
>> > >
>> > > Thanks a lot,
>> > >
>> > > naveen
>> > >
>> > > On 10/25/05, Ryan Barnett <rcbarnett@xxxxxxxxx> wrote:
>> > >>
>> > >> Naveen,
>> > >> Think of the mod_security directives (SecFilter|SecFilterSelective)
>> > as
>> > >> you
>> > >> would firewall rules in that the order in which they are specified
>> in
>> > >> the
>> > >> httpd.conf file does matter. Again, like firewall rules, once a
>> > filter
>> > >> matches the incoming HTTP request it will trigger the actions
>> > specified.
>> > >> With this being said, if you want to "whitelist" an IP address to
>> > allow
>> > >> this
>> > >> client access, then add in a rule like this near the top of your
>> > >> Mod_Security directives -
>> > >> SecFilterSelective REMOTE_HOST "^192\.168\.1\.100$" allow,pass
>> > >> Add this just below the mod_security general directives (such as
>> > >> SecFilterEngine, etc....).
>> > >> That should do it.
>> > >>
>> > >> --
>> > >> Ryan C. Barnett
>> > >> Web Application Security Consortium (WASC) Member
>> > >> CIS Apache Benchmark Project Lead
>> > >> SANS Instructor: Securing Apache
>> > >> GCIA, GCFA, GCIH, GSNA, GCUX, GSEC
>> > >> Author: Preventing Web Attacks with Apache
>> > >> On 10/25/05, Naveen Amradi <namradi@xxxxxxxxx> wrote:
>> > >> >
>> > >> > HI All,
>> > >> >
>> > >> > Newbie of ModSecurity. I was wondering is there a way to
>> > >> > open up rules for certain ip addresses.
>> > >> >
>> > >> > Thanks a gazillion!
>> > >> > Naveen
>> > >>
>> > >>
>> > >>
>> > >>
>> > >>
>> > >
>> >
>> >
>>
>



-------------------------------------------------------
This SF.Net email is sponsored by the JBoss Inc.
Get Certified Today * Register for a JBoss Training Course
Free Certification Exam for All Training Attendees Through End of 2005
Visit http://www.jboss.com/services/certification for more information