From 0d4695651a96c48b0362aa8d8b7a4d0879e1e89d Mon Sep 17 00:00:00 2001 From: Felipe Zipitria Date: Sat, 5 Oct 2019 10:10:11 -0300 Subject: [PATCH 1/3] Correct example text regarding GeoIP. Add maxmind tool for downloading files --- crs-setup.conf.example | 29 +++++++++++++++++++++-------- 1 file changed, 21 insertions(+), 8 deletions(-) diff --git a/crs-setup.conf.example b/crs-setup.conf.example index 8c0d4eb9b..97072935c 100644 --- a/crs-setup.conf.example +++ b/crs-setup.conf.example @@ -622,20 +622,33 @@ SecDefaultAction "phase:2,log,auditlog,pass" # # To use geolocation, we make use of the MaxMind GeoIP database. # This database is not included with the CRS and must be downloaded. -# You should also update the database regularly, for instance every month. -# The CRS contains a tool to download it to util/geo-location/GeoIP.dat: -# util/upgrade.py --geoip # -# This product includes GeoLite data created by MaxMind, available from: -# http://www.maxmind.com. +# There are two formats for the GeoIP database. ModSecurity v2 uses v1 (.dat files), +# and ModSecurity v3 uses v2 (.mmdb files). +# +# MaxMind provides a binary for updating, see https://github.com/maxmind/geoipupdate. +# Download the package for your OS, and read https://dev.maxmind.com/geoip/geoipupdate/ +# for configuration options. +# +# You should also update the database regularly, see Step 3 of the configuration link above. +# +# By default, when you execute `sudo geoipupdate` on Linux, files from the free database +# will be downloaded to `/usr/share/GeoIP` (both v1 and v2). +# +# Then choose from: +# - `GeoLite2-Country.mmdb` (if you are using ModSecurity v3) +# - `GeoLiteCountry.dat` (a.k.a. `GeoIP.dat` if you are using ModSecurity v2) # # Ref: http://blog.spiderlabs.com/2010/10/detecting-malice-with-modsecurity-geolocation-data.html # Ref: http://blog.spiderlabs.com/2010/11/detecting-malice-with-modsecurity-ip-forensics.html # -# Uncomment this rule to use this feature: +# Uncomment only one of the next rules here to use this feature. +# Choose the one depending on the ModSecurity version you are using, and change the path accordingly: # -#SecGeoLookupDB util/geo-location/GeoIP.dat - +# For ModSecurity v3: +#SecGeoLookupDB /usr/share/GeoIP/GeoLite2-Country.mmdb +# For ModSecurity v2: +#SecGeoLookupDB /usr/share/GeoIP/GeoLiteCountry.dat # # -=[ Block Countries ]=- From 1018ef5227c8987dafa7a54385d0bd0d51e0ce61 Mon Sep 17 00:00:00 2001 From: Felipe Zipitria Date: Sun, 20 Oct 2019 17:25:26 -0300 Subject: [PATCH 2/3] Better document legacy convertion procedure Add text with instructions for a simple conversion utility. --- crs-setup.conf.example | 24 ++++++++++++++++++++---- 1 file changed, 20 insertions(+), 4 deletions(-) diff --git a/crs-setup.conf.example b/crs-setup.conf.example index 97072935c..31681aa78 100644 --- a/crs-setup.conf.example +++ b/crs-setup.conf.example @@ -626,18 +626,34 @@ SecDefaultAction "phase:2,log,auditlog,pass" # There are two formats for the GeoIP database. ModSecurity v2 uses v1 (.dat files), # and ModSecurity v3 uses v2 (.mmdb files). # -# MaxMind provides a binary for updating, see https://github.com/maxmind/geoipupdate. +# If you use ModSecurity 3, MaxMind provides a binary for updating GeoLite2 files, +# see https://github.com/maxmind/geoipupdate. +# # Download the package for your OS, and read https://dev.maxmind.com/geoip/geoipupdate/ # for configuration options. # -# You should also update the database regularly, see Step 3 of the configuration link above. +# Warning: GeoLite (not GeoLite2) databases are considered legacy, and not being updated anymore. +# See https://support.maxmind.com/geolite-legacy-discontinuation-notice/ for more info. +# +# Therefore, if you use ModSecurity v2, you need to regenerate updated .dat files +# from CSV files first. +# +# You can achieve this using https://github.com/sherpya/geolite2legacy +# Pick the zip files from maxmind site: +# https://geolite.maxmind.com/download/geoip/database/GeoLite2-Country-CSV.zip +# +# Follow the guidelines for installing the tool and run: +# ./geolite2legacy.py -i GeoLite2-Country-CSV.zip \ +# -f geoname2fips.csv -o /usr/share/GeoliteCountry.dat +# +# Update the database regularly, see Step 3 of the configuration link above. # # By default, when you execute `sudo geoipupdate` on Linux, files from the free database # will be downloaded to `/usr/share/GeoIP` (both v1 and v2). # # Then choose from: # - `GeoLite2-Country.mmdb` (if you are using ModSecurity v3) -# - `GeoLiteCountry.dat` (a.k.a. `GeoIP.dat` if you are using ModSecurity v2) +# - `GeoLiteCountry.dat` (if you are using ModSecurity v2) # # Ref: http://blog.spiderlabs.com/2010/10/detecting-malice-with-modsecurity-geolocation-data.html # Ref: http://blog.spiderlabs.com/2010/11/detecting-malice-with-modsecurity-ip-forensics.html @@ -647,7 +663,7 @@ SecDefaultAction "phase:2,log,auditlog,pass" # # For ModSecurity v3: #SecGeoLookupDB /usr/share/GeoIP/GeoLite2-Country.mmdb -# For ModSecurity v2: +# For ModSecurity v2 (points to the converted one): #SecGeoLookupDB /usr/share/GeoIP/GeoLiteCountry.dat # From 4403a0866603202b31e316f5daf4be3b0e6094f6 Mon Sep 17 00:00:00 2001 From: Felipe Zipitria Date: Sun, 20 Oct 2019 18:30:42 -0300 Subject: [PATCH 3/3] Change version number for full version name --- crs-setup.conf.example | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/crs-setup.conf.example b/crs-setup.conf.example index 31681aa78..7bb92b885 100644 --- a/crs-setup.conf.example +++ b/crs-setup.conf.example @@ -623,8 +623,8 @@ SecDefaultAction "phase:2,log,auditlog,pass" # To use geolocation, we make use of the MaxMind GeoIP database. # This database is not included with the CRS and must be downloaded. # -# There are two formats for the GeoIP database. ModSecurity v2 uses v1 (.dat files), -# and ModSecurity v3 uses v2 (.mmdb files). +# There are two formats for the GeoIP database. ModSecurity v2 uses GeoLite (.dat files), +# and ModSecurity v3 uses GeoLite2 (.mmdb files). # # If you use ModSecurity 3, MaxMind provides a binary for updating GeoLite2 files, # see https://github.com/maxmind/geoipupdate.