Re: Filter Rules by IP Address

Just curious,

Can i allow a full subnet like this
SecFilterSelective REMOTE_ADDR  ^196.168.0.*$ allow.
I will give it a try.

Thanks,
naveen

On 10/25/05, Naveen Amradi <namradi@xxxxxxxxx> wrote:
> SecFilterSelective REMOTE_ADDR  ^196.168.0.94$ allow
> worked.  I tried that before Ryan replied but with allow,pass.
> So i guess wiht pass in it, it was allowing the IP address but still
> applying the other rules.
>
> I really appreciate your help guys.
>
>
> Thanks a lot,
> Naveen
>
> On 10/25/05, Ryan Barnett <rcbarnett@xxxxxxxxx> wrote:
> > Sorry about that - I used the wrong env token.  Use this instead -
> >
> > SecFilterSelective REMOTE_ADDR "^192\.168\.0\.94$" allow
> >
> > Also, just use "allow" at the end.  This should tell mod_security to allow
> > the request and to not apply and other filters.
> >
> > If it is still getting blocked by another filter, check the debug log file
> > Looking at your conf file, you need to turn this on (0 does no logging).
> > Set this log level to 9 if you want the most verbose info. -
> >
> > # You normally won't need debug logging
> >     SecFilterDebugLevel 9
> >     SecFilterDebugLog logs/modsec_debug_log
> >
> > --
> > Ryan C. Barnett
> > Web Application Security Consortium (WASC) Member
> > CIS Apache Benchmark Project Lead
> > SANS Instructor: Securing Apache
> > GCIA, GCFA, GCIH, GSNA, GCUX, GSEC
> >
> > Author: Preventing Web Attacks with Apache
> >
> > On 10/25/05, Naveen Amradi <namradi@xxxxxxxxx> wrote:
> > >
> > > HI Ryan,
> > >
> > >   I appreciate your quick response and help.
> > >  I am still not able to configure it properly.
> > > Just like u said i added
> > >
> > > SecFilterSelective REMOTE_HOST "^192\.168\.0\.94$" allow,pass
> > >
> > > I tried putting it right below the SecFilterEnging and other places too.
> > And i am getting this error in the log file. Maybe i am missing something.
> > >
> > >
> > > UNIQUE_ID: xv7hbIJKVE8AAFQjVXYAAAAE
> > > Request: 196.168.0.94 - - [25/Oct/2005:11:39:02 --0500] "GET
> > /study_abroad/TMPzad38oxcyx.htm HTTP/1.1" 403 232
> > > Handler: server-parsed
> > > ----------------------------------------
> > > GET /study_abroad/TMPzad38oxcyx.htm HTTP/1.1
> > > User-Agent: Contribute
> > > Host: www.outreach.olemiss.edu
> > > Cookie:
> > phpbb2mysql_data=a%3A2%3A%7Bs%3A11%3A%22autologinid%22%3Bs%3A0%3A%22%22%3Bs%3A6%3A%22userid%22%3Bs%3A1%3A%223%22%3B%7D;
> > PHPSESSID=59ded4be35990378545d942f2a11c0f9
> > > mod_security-message: Access denied with code 403. Pattern match "/tmp" at
> > THE_REQUEST
> > > mod_security-action: 403
> > >
> > > HTTP/1.1 403 Forbidden
> > > Content-Length: 232
> > >
> > > Could you help me?And Just for info i am trying to configure Macromedia
> > Contribute.
> > >
> > > Thanks a lot,
> > >
> > > naveen
> > >
> > >
> > > On 10/25/05, Ryan Barnett <rcbarnett@xxxxxxxxx > wrote:
> > >
> > > >
> > > > Naveen,
> > > > Think of the mod_security directives (SecFilter|SecFilterSelective) as
> > you would firewall rules in that the order in which they are specified in
> > the httpd.conf file does matter.  Again, like firewall rules, once a filter
> > matches the incoming HTTP request it will trigger the actions specified.
> > With this being said, if you want to "whitelist" an IP address to allow this
> > client access, then add in a rule like this near the top of your
> > Mod_Security directives -
> > > >
> > > > SecFilterSelective REMOTE_HOST "^192\.168\.1\.100$" allow,pass
> > > >
> > > > Add this just below the mod_security general directives (such as
> > SecFilterEngine, etc....).
> > > >
> > > > That should do it.
> > > >
> > > > --
> > > > Ryan C. Barnett
> > > > Web Application Security Consortium (WASC) Member
> > > > CIS Apache Benchmark Project Lead
> > > > SANS Instructor: Securing Apache
> > > > GCIA, GCFA, GCIH, GSNA, GCUX, GSEC
> > > > Author: Preventing Web Attacks with Apache
> > > >
> > > >
> > > > On 10/25/05, Naveen Amradi <namradi@xxxxxxxxx > wrote:
> > > > > HI All,
> > > > >
> > > > >   Newbie of ModSecurity. I was wondering is there a way to
> > > > > open up rules for certain ip addresses.
> > > > >
> > > > > Thanks a gazillion!
> > > > > Naveen
> > > >
> > > >
> > > >
> > > >
> > >
> > >
> >
> >
> >
> >
>


-------------------------------------------------------
This SF.Net email is sponsored by the JBoss Inc.
Get Certified Today * Register for a JBoss Training Course
Free Certification Exam for All Training Attendees Through End of 2005
Visit http://www.jboss.com/services/certification for more information