작성자 : Victor Julien
출처 : http://www.inliniac.net/blog/2007/03/01/update-on-using-realtime-blacklists-with-modsecurity.html

아래 글에서는 wordpress의 코멘트쓰기 트랙백 스팸검사를 위해 rbl(realtime blacklist)
검사를 하지만 다른 프로그램들도 응용이 어렵지 않을것같습니다.

----------------------------------------------------------------------------------

Update on using realtime blacklists with ModSecurity
Thursday, March 1st, 2007
A few days ago I posted a blog article about stopping comment spam with ModSecurity using realtime blacklists (rbl). While the approach was working, I noted having problems with rules when I tried to match on POST methods in HTTP requests.

Luckily, ModSecurity creator Ivan Ristic was quick to point out where the problem is. I’m using the Core Ruleset for ModSecurity, and one thing that ruleset does is use the ‘lowercase’ transformation. This converts all text from arguments to lowercase, so my ^POST$ match would never be able to match. So like Ivan suggested, using ^post$ solved this part.

Next Ivan pointed out a weakness in the rules. My rules looked for /blog/wp-comment-post.php, and would be easily evaded by just using /blog//wp-comment-post.php. He suggested using the ‘normalisePath’ transformation. I did this, but I also slightly changed the rules to not look for the /blog/ part at all (maybe this makes normalisePath useless, but I decided to rather be safe than sorry).

The rules I’m using now look like this:

SecRule REQUEST_METHOD "^post$" "log,deny,chain,msg:'LOCAL comment spammer at rbl list.dsbl.org'"
SecRule REQUEST_URI "wp-(comments-post|trackback).php$" "chain,t:normalisePath"
SecRule REMOTE_ADDR "@rbl list.dsbl.org"

SecRule REQUEST_METHOD "^post$" "log,deny,chain,msg:'LOCAL comment spammer at rbl bl.spamcop.net'"
SecRule REQUEST_URI "wp-(comments-post|trackback).php$" "chain,t:normalisePath"
SecRule REMOTE_ADDR "@rbl bl.spamcop.net"

SecRule REQUEST_METHOD "^post$" "log,deny,chain,msg:'LOCAL comment spammer at rbl sbl-xbl.spamhaus.org'"
SecRule REQUEST_URI "wp-(comments-post|trackback).php$" "chain,t:normalisePath"
SecRule REMOTE_ADDR "@rbl sbl-xbl.spamhaus.org"

Thanks a lot Ivan Ristic for your comments!

'Modsecurity' 카테고리의 다른 글

modsecurity & clamav를 이용한 업로드파일 검사  (11) 2008.05.26
ModSecurity 2.x & zeroboardXE  (0) 2008.05.05
GotRoot Rules for ModSecurity  (0) 2008.04.28
ModSecurity 2.5 Released  (0) 2008.04.01
Introducing mod_security  (0) 2004.03.12

+ Recent posts