Security Advisories

Trustwave Press Releases

« PCAP Files Are Great Arn't They?? | Main | Finding Zero Days & Reading Your Mind in the Year 2052 »

17 December 2012


Thanks for this tutorial, Ryan. Looking forward to the others!

As a newb, I got stuck with the error:
Could not set variable "ip.malicious_client" as the collection does not exist

After some checking through the ModSecurity reference docs, I found that INITCOL is needed to initialize the IP collection. I placed this just above the first of the two phase:2 rules for tagging malicious clients:

SecAction phase:1,id:116,nolog,pass,initcol:ip=%{REMOTE_ADDR}

And it works now.

If you are are using the OWASP ModSecurity CRS the setup config file checks for those proxy headers -

You could update the rules to check TX:REAL_IP instead of REMOTE_ADDR.

Hi Ryan,
What can You do use X-Forwarded-For Http header instead of the IP address when the suspicious trafic comes from a proxy (or Akamai like Internet service)?

Verify your Comment

Previewing your Comment

This is only a preview. Your comment has not yet been posted.

Your comment could not be posted. Error type:
Your comment has been posted. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.


Post a comment

Your Information

(Name is required. Email address will not be displayed with the comment.)