Re: [jcollat@gmail.com: [modsecurity-core-rule-set-project] Welcome & GeoIP]

[Jozef Sudolsky]

Hi Jean!

Unfortunately, GeoIP support was removed from core CRS in version 4.0.
There is ongoing work to add it as a plugin but it was not officialy
included into CR yet - you can find it here (read the readme as,
currently, plugin on it's own is not doing any blocking based on geoip):

https://github.com/azurit/modsecurity-geoip-plugin


Jozef





> Date: Mon, 4 Mar 2024 11:47:48 -0800 (PST)
> From: Jean-Charles OLLAT <jco...@gmail.com>
> To: ModSecurity Core Rule Set project
> <modsecurity-core...@owasp.org>
> Subject: [modsecurity-core-rule-set-project] Welcome & GeoIP
>
>
>
> Hello everyone,
>
> I wanted to extend a warm thank you for welcoming me to this discussion
> group. It's a pleasure to join the WAF community.
>
> I just migrated my homelab to Version 4.0.0. I'm using the latest version
> of Modsecurity and the connector for nginx 1.24 (latest stable).
>
> I have examined the file crs-setup.conf, and I don't find anything about
> GeoIP.
>
> Can we still use it ? in the way than the version 3.x ?
>
> Is that something that you have decide to depreciate ?
>
> That sad because, nginx V1.24 do not support GeoIP anymore so the last
> option is to use the host firewall.
>
> Thanks again to let me in ...
>
> --
> You received this message because you are subscribed to the Google
> Groups "ModSecurity Core Rule Set project" group.
> To unsubscribe from this group and stop receiving emails from it,
> send an email to
> modsecurity-core-rule-...@owasp.org.
> To view this discussion on the web visit
> https://groups.google.com/a/owasp.org/d/msgid/modsecurity-core-rule-set-project/2dd4aca8-1ede-44df-b2d5-6021233a4ac7n%40owasp.org.
>
>
> ----- End forwarded message -----

[Christian Folini]

Hi there,

Adding to what Jozef explained: The new plugin architecture allows us to
move non-standard functionality into plugin to streamline the main release.

GeoIP, which is a bit different on every platform, is one such feature.

We think GeoIP is important, but it's better to keep it separate.

Best,

Christian

> To view this discussion on the web visit https://groups.google.com/a/owasp.org/d/msgid/modsecurity-core-rule-set-project/20240305103112.Horde.TcaAx7QGUtYqvax3BmqXEhn%40webmail.inetadmin.eu.

[Jean-Charles OLLAT]

Thanks

I tied to used the GeoIP Plugin but I'm little bit confuse about witch variables to use (for NGINX and MaxMind) ? geoip2_data_country_iso_code ?

[Jozef Sudolsky]

Depends on the configuration but it should be env.geoip_country_code
also for nginx.




Citát Jean-Charles OLLAT <jco...@gmail.com>:

> https://groups.google.com/a/owasp.org/d/msgid/modsecurity-core-rule-set-project/1444dc60-0656-4fbb-bdc4-96cfbf99978bn%40owasp.org.

[Jean-Charles OLLAT]

I think it's env.geoip2_data_country_iso_code so I modify the geoip-config.conf as below but the variable is emtpy ..

The variable geoip2_data_country_iso_code works well at the nginx level because I used it on my log format in nginx.conf.

SecGeoLookupDb /usr/share/GeoIP/GeoLite2-Country.mmdb

SecAction \
 "id:9599020,\
  phase:1,\
  nolog,\
  pass,\
  t:none,\
  ver:'geoip-plugin/1.0.0',\
  setvar:'tx.geoip-plugin_custom_lookup=0',\
  setvar:'tx.geoip-plugin_country_code=%{env.geoip2_data_country_iso_code}'"

[Jozef Sudolsky]

Setting tx.geoip-plugin_country_code is used only when
tx.geoip-plugin_custom_lookup is set to 1 and in that case you need an
external source of geoip data (like mod_maxmind for Apache).

If you really have an other source of geoip data (like you said -
using env.geoip2_data_country_iso_code) then remove SecGeoLookupDb
(because it will initialize another source of geoip) and set
tx.geoip-plugin_custom_lookup to 1.



Citát Jean-Charles OLLAT <jco...@gmail.com>:

> https://groups.google.com/a/owasp.org/d/msgid/modsecurity-core-rule-set-project/d467d565-0bbf-4641-9e54-a971e5b59940n%40owasp.org.