Wanted to get feedback on GeoIP DB activation. Here is what is in the current modsecurity_crs_10_setup.conf file -
# # -- [[ GeoIP Database ]] ----------------------------------------------------------------- # # There are some rulesets that need to inspect the GEO data of the REMOTE_ADDR data. # # You must first download the MaxMind GeoIP Lite City DB - # # http://geolite.maxmind.com/download/geoip/database/GeoLiteCity.dat.gz # # You then need to define the proper path for the SecGeoLookupDb directive # # Ref: http://blog.spiderlabs.com/2010/10/detecting-malice-with-modsecurity-geoloc ation-data.html # SecGeoLookupDb /usr/local/apache/conf/modsec/GeoLiteCity.dat The rationale for this directive is that we will be added rules that need to inspect the GEO collection data to identify potential fraud, raise risk scores and provide GeoIP data within generated alerts. Does anyone have any issues with the SecGeoLookupDd directive to be activated by default or should this be commented out and the user can activate it if they want to use GeoIP data? -- Ryan Barnett Trustwave SpiderLabs ModSecurity Project Leader OWASP ModSecurity CRS Project Leader This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. _______________________________________________ Owasp-modsecurity-core-rule-set mailing list [email protected] https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
