# --------------------------------------------------------------- # Core ModSecurity Rule Set ver.2.2.8 # Copyright (C) 2006-2012 Trustwave All rights reserved. # # The OWASP ModSecurity Core Rule Set is distributed under # Apache Software License (ASL) version 2 # Please see the enclosed LICENCE file for full details. # --------------------------------------------------------------- # # Gather IP/Host Data for Audit Logging # # - http://blog.spiderlabs.com/2010/11/detecting-malice-with-modsecurity-ip-forensics.html # # # Execute the IP Lookup/Whois Check when anomaly scores are not 0 # # You must update the local path for the exec action to point to the lua script. # SecRule TX:ANOMALY_SCORE "@gt 0" "phase:5,t:none,pass,nolog,id:'900036',exec:/usr/local/apache/conf/crs/lua/gather_ip_data.lua" SecRule TX:HOSTNAME ".*" "phase:5,t:none,pass,log,id:'900037',msg:'Client Nslookup/WHOIS Abuse Info.',logdata:'Hostname: %{tx.hostname} and WHOIS Abuse Contact: %{tx.abuse_contact}',setvar:'ip.hostname=Hostname: %{tx.hostname} and WHOIS Abuse Contact: %{tx.abuse_contact}',expirevar:ip.hostname=86400,skip:1" SecRule TX:ANOMALY_SCORE "@gt 0" "phase:5,t:none,pass,log,id:'900038',msg:'Client Nslookup/WHOIS Abust Info.',logdata:'%{ip.hostname}'" # # Download the GeoIP DB from MaxMind # # GeoLite City - http://www.maxmind.com/app/geolitecity # GeoLite Country - http://www.maxmind.com/app/geoip_country # # Define the proper path to the GeoIP DB SecGeoLookupDb /usr/share/GeoIP/GeoLiteCity.dat # # Check the Transactional Anomaly Score - if it is not 0 then record the GeoIP data # for the client in the audit log. # SecRule TX:ANOMALY_SCORE "@gt 0" "chain,phase:5,pass,t:none,log,id:'900039',severity:'5',msg:'Logging GeoIP Data due to anomaly score.',logdata:'Country Code=%{geo.country_code}, Country Code3=%{geo.country_code3}, Country Name=%{geo.country_name}, Country Continent=%{geo.country_continent}, City=%{geo.city}'" SecRule REMOTE_ADDR "@geoLookup"