1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Utilizing the HTTP BlackList (HTTPBL) API with Mod_Security

Discussion in 'Security' started by Astral God, Dec 28, 2012.

  1. Astral God

    Astral God Member

    Joined:
    Sep 27, 2010
    Messages:
    180
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    127.0.0.1
    Utilizing the HTTP BlackList (HTTPBL) API

    A very useful tool provided by Project Honeypot is the HTTP Blacklist (HTTPBL). They describe the HTTP BL as follows:

    This is useful data as it tracks IP address of clients who have been flagged as malicious by the Project Honeypot's trap network which means that there is a very low chance of false positives. In the latest ModSecurity version (2.7), we added the capability to use the Http:BL API by allowing the ModSecurity user to specify their registered API key with the new SecHttpBlKey directive.

    You can then use rules similar to the following to check the client IP address against the HTTP BL:

    Code:
    SecHttpBlKey YOUR_API_KEY_HERE
    SecRule TX:REAL_IP|REMOTE_ADDR "@rbl dnsbl.httpbl.org" "id:'99010',chain,phase:1,t:none,capture,block,msg:'HTTPBL Match of Client IP.',logdata:'%{tx.httpbl_msg}',setvar:tx.httpbl_msg=%{tx.0}"
            SecRule TX:0 "threat score (\d+)" "chain,capture"
                    SecRule TX:1 "@gt 20"
    If a malicious client connects to your web server, this rule will inspect the "threat score" data returned by the HTTP BL and then it will trigger an alert if it is above the defined threshold limit (20 here). An example alert would be generated and the client would be blocked (depending on your configuration).

    Code:
    [Tue Dec 18 16:22:44 2012] [error] [client 173.44.37.234] ModSecurity: Warning. Operator GT matched 20 at TX:1. [file "/usr/local/apache/conf/crs/base_rules/modsecurity_crs_15_custom.conf"] [line "2"] [id "999010"] [msg "HTTPBL Match of Client IP."] 
    [data "RBL lookup of whdkfieyhtnf.234.37.44.173.dnsbl.httpbl.org succeeded at REMOTE_ADDR. 
    Suspicious comment spammer IP: 1 days since last activity, threat score 80"] 
    [hostname "MacBook-Pro-2.local"] [uri "/cgi-bin/printenv"] [unique_id "UNDeo8CoAWoAACDARMkAAAAC"]
    More info at SpiderLabs Blog: Setting HoneyTraps with ModSecurity: Project Honeypot Integration - SpiderLabs Anterior
     

Share This Page