REMOTE_ADDR is incorrectly populated #734
Comments
oniric85
changed the title
|
Some other information. |
|
This is probably related to this commit where client IP passing to IIS was added to ModSecurity: Seems like GetIpAddr is using winsock function WSAAddressToString that also appends port information according to documentation and google searches so maybe this is the root cause of the problem. |
|
Disclaimer: This is my first lua script and that language is not pretty. Here's a overly simple lua script that you can use as a workaround #!/opt/local/bin/lua
function main()
m.log(4, "Custom lua is running: " .. m.getvar("REMOTE_ADDR") );
local rawipaddress = m.getvar("REMOTE_ADDR", "none");
if(rawipaddress == nil) then
m.log(4, "REMOTE_ADDR is nil");
return nil
end
local ipaddress = "none";
for token in string.gmatch(rawipaddress, "[^:]+") do
m.log(4, "IPAddress is " .. token);
ipaddress = token
break
end
if(ipaddress == nil) then
m.log(4, "Parsed IP Address is nil, this is weird");
return nil
end
m.setvar("TX.IPADRES", ipaddress);
m.log(4, "IP is in TX.IPADRES: " .. m.getvar("TX.IPADRES"));
return nil;
endIn order to use this as an example SecRuleScript "set_ip.lua" "pass"
SecRule TX:IPADRES "@geoLookup" "chain,phase:1,t:none,block,log,msg:'Client IP not from US',id:1244"
SecRule GEO:COUNTRY_CODE "!@streq US" |
|
Just ran into the same issue, I have a custom rule that blocks IP addresses based on requested URIs & it only blocks IP/port combination(192.168.0.1:40987 etc) which defeats the purpose. The lua script above doesn't seem to set the "tx.ipadres" variable. Has this been fixed in the new version? Is there another workaround? Thanks, |
|
Hi @ojasp this issue still open. There is no fix available yet. Most likely it will be fixed when the IIS add-on starts to use the libmodsecurity instead of the Standalone version. |
|
Thanks zimmerle! Do you suggest any workaround to extract IP address from remote_addr? |
|
I would like to post an update as I was able to get the above script to work after quite a lot of trial and error. When you call the lua script, please make sure to include phase & t:none. Here's my modified lua script: #!/opt/local/bin/lua
function main()
local rawipaddress = m.getvar("REMOTE_ADDR", "none");
local ipaddress = "none";
for token in string.gmatch(rawipaddress, "[^:]+") do
m.log(4, "IPAddress is " .. token);
ipaddress = token
break
end
m.setvar("TX.IPADRES", ipaddress);
m.log(4, "IP is in TX.IPADRES: " .. m.getvar("TX.IPADRES"));
return nil;
endHere is how I call the lua script: SecRuleScript "set_ip.lua" "phase:1,t:none,pass"
SecAction phase:1,nolog,pass,initcol:user=%{TX.IPADRES},id:100 |
|
@ojasp good solution! |
|
@ojasp can you explain if there is new edition of your solution? I put this in my modsecurity_crs_15_customrules.conf SecRuleScript "set_ip.lua" "phase:1,t:none,pass" Is this correct ? |
|
@itrade-it : Are you are running .NET/MVC application with global.asax configured to Anyhow, I still have my lua script and custom rule files. Let me know if On Tue, Apr 26, 2016 at 4:58 AM, itrade-it [email protected] wrote:
|
|
Thank you.
|
|
Fixed by: #1220. |
Hi, all
I was trying to determine what was not working with my GeoIP database that I've set up for ModSecurity under IIS. It seems to me that REMOTE_ADDR variable is filled with the ip address concatenated to the REMOTE_PORT like
127.0.0.1:54321
This is not correct as it then causes the Geo lookup to fail as per this log line:
GEO: Looking up "xxx.xxx.xxx.xxx:63565".
Geo lookup for "xxx.xxx.xxx.xxx:63565" failed: The requested name is valid, but no data of the requested type was found.
I think this is a big issue as it seems not to be local to the Geo IP section but a global problem.
The text was updated successfully, but these errors were encountered: