Use only Malicious country Rule

Blason R

unread,

Aug 6, 2022, 9:24:36 AM8/6/22

to ModSecurity Core Rule Set project

Hi Team,

I wanted to use Modsecurity with CRS and only needed to use a country block. Hence I am thinking of activating that rule only. Is this possible? Can we do that?

Franziska Buehler

unread,

Aug 7, 2022, 9:08:59 AM8/7/22

to Blason R, ModSecurity Core Rule Set project

Hi!

You are probably talking about the CRS 3.3 Rule 910100 from the file https://github.com/coreruleset/coreruleset/blob/v3.3/dev/rules/REQUEST-910-IP-REPUTATION.conf#L60.

The OWASP Core Rule Set can protect against many attacks, but DoS protection is not one of the main goals we are pursuing with the CRS.

Therefore, the DoS protection rules will be moved to a separate plugin from the next release 4.0 and will no longer belong to the core CRS:

See plugins:

https://github.com/coreruleset/dos-protection-plugin-modsecurity-v2 and

https://github.com/coreruleset/dos-protection-plugin-modsecurity-v3

But even in these plugins, the rule that executes country block is no longer included. The problem is that the rule does a geoLookup (https://github.com/coreruleset/coreruleset/blob/v3.3/dev/rules/REQUEST-910-IP-REPUTATION.conf#L76), which isn't that easy anymore. Also see ModSecurity docs: https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-(v2.x)#geolookup

Also see CRS issue:

https://github.com/coreruleset/coreruleset/issues/2433#issuecomment-1172288180

In any case, I would recommend other features of the CRS, but not this rule that you want to use.

Best,

Franziska

CRS Dev on Duty

On Sat, Aug 6, 2022 at 3:24 PM Blason R <blas...@gmail.com> wrote:

Hi Team,

I wanted to use Modsecurity with CRS and only needed to use a country block. Hence I am thinking of activating that rule only. Is this possible? Can we do that?

--
You received this message because you are subscribed to the Google Groups "ModSecurity Core Rule Set project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to modsecurity-core-rule-...@owasp.org.
To view this discussion on the web visit https://groups.google.com/a/owasp.org/d/msgid/modsecurity-core-rule-set-project/CAPPXLT-7eWOe%2BT0n2HPGCD-%2BKcZDV5NG8fXMxawgLqcnXVs%3Dgg%40mail.gmail.com.

Blason R

unread,

Aug 7, 2022, 8:42:53 PM8/7/22

to Franziska Buehler, ModSecurity Core Rule Set project

Thanks for the reply team -

Reply all

Reply to author

Forward