« PCAP Files Are Great Arn't They?? | Main | Finding Zero Days & Reading Your Mind in the Year 2052 »

17 December 2012

Comments

Thanks for this tutorial, Ryan. Looking forward to the others!

As a newb, I got stuck with the error:
Could not set variable "ip.malicious_client" as the collection does not exist

After some checking through the ModSecurity reference docs, I found that INITCOL is needed to initialize the IP collection. I placed this just above the first of the two phase:2 rules for tagging malicious clients:

SecAction phase:1,id:116,nolog,pass,initcol:ip=%{REMOTE_ADDR}

And it works now.

If you are are using the OWASP ModSecurity CRS the setup config file checks for those proxy headers - https://github.com/SpiderLabs/owasp-modsecurity-crs/blob/master/modsecurity_crs_10_setup.conf.example

You could update the rules to check TX:REAL_IP instead of REMOTE_ADDR.

Hi Ryan,
What can You do use X-Forwarded-For Http header instead of the IP address when the suspicious trafic comes from a proxy (or Akamai like Internet service)?
Regards
Gérard

Verify your Comment

Previewing your Comment

This is only a preview. Your comment has not yet been posted.

Working...
Your comment could not be posted. Error type:
Your comment has been posted. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.

Working...

Post a comment