'[mod-security-users] Wrong Country with GeoLookup for private IP,'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       mod-security-users
Subject:    [mod-security-users] Wrong Country with GeoLookup for private IP,
From:       "Rechtberger Friedrich" <friedrich.rechtberger () wienkav ! at>
Date:       2011-08-09 13:19:20
Message-ID: 6C4A91205218E847946C9049E2AF2C0004EBB351 () vXCMB01 ! wienkav ! at
[Download RAW message or body]

Hi!

When I use the actual GeoLiteCity.dat for geoLookup-Test and a private
IP-Adress "172.18.16.198" i get a wrong answer from geoLookup.
 
In debug_log (Level 9) the country is Congo for "172.18.16.198".
 
[/Webmail/test.mbx/Entwrfe][5] Rule 2b3d2d045b20: SecRule "REMOTE_ADDR"
"@geoLookup " "t:none"
[/Webmail/test.mbx/Entwrfe][4] Executing operator "geoLookup" with param
"" against REMOTE_ADDR.
[/Webmail/test.mbx/Entwrfe][9] GEO: Looking up "172.18.16.198".
[/Webmail/test.mbx/Entwrfe][9] GEO: Using address "172.18.16.198"
(0xac1210c6).
[/Webmail/test.mbx/Entwrfe][9] GEO:
rec="\x2a\xd2\x00\x00\x00\x30\xc1\x1d\x80\xb9\x2a\x6f\x00\x00\x00\x80\xf
5\x20\xe0\x85\x30\x30\x00\x00\x00\x70\xce\x20\xd0\x7c\x2b\x10\x00\x00\x0
0\x90\x58\x17\x90\xc2\x2f\x67\x00\x00\x00\x80\x84\x1e\x10\x37"
[/Webmail/test.mbx/Entwrfe][9] GEO: country="\x2a"
[/Webmail/test.mbx/Entwrfe][9] GEO: region="\xd2\x00"
[/Webmail/test.mbx/Entwrfe][9] GEO: city="\x00"
[/Webmail/test.mbx/Entwrfe][9] GEO: postal_code="\x00"
[/Webmail/test.mbx/Entwrfe][9] GEO: latitude="\x30\xc1\x1d"
[/Webmail/test.mbx/Entwrfe][9] GEO: longitude="\x80\xb9\x2a"
[/Webmail/test.mbx/Entwrfe][9] GEO: dma/area="\x6f\x00\x00"
[/Webmail/test.mbx/Entwrfe][9] GEO: 172.18.16.198={country_code=CG,
country_code3=COG, country_name=Congo, country_continent=AF, region= ,
city=, postal_code=, latitude=15.000000, longitude=100.000000,
dma_code=0, area_code=0}
 
When I test against GeoIP.dat or with an real (nonprivate) IP i get the
same results as at http://www.maxmind.com/app/lookup_city.
 
Is there a Bug in the geoLookup-feature?
 
I testet with this TestRule against REMOTE_ADDR:
 
SecRule IP:OWA_SEND_ATTEMPT "@gt 1" \
"chain,phase:2,pass,t:none,log,id:'10035',severity:'5',msg:'Logging
GeoIP Data due to high send score.',logdata:'Country
Code=%{geo.country_code}, Country Code3=%{geo.country_code3}, Country
Name=%{geo.country_name}, Country Continent=%{geo.country_continent},
City=%{geo.city}'"
SecRule REQUEST_URI "@rx ^/webmail/[-._a-z0-9]+/entwrfe"
"chain,t:urlDecodeUni,t:lowercase"
SecRule REMOTE_ADDR "@geoLookup" "t:none"

and with this TestRule against any other Test-IP (setvar:tx.testip):
 
SecRule IP:SEND_ATTEMPT "@gt 1" \
"chain,phase:2,pass,t:none,log,id:'10035',severity:'5',msg:'Logging
GeoIP Data due to high send score.',logdata:'Country
Code=%{geo.country_code}, Country Code3=%{geo.country_code3}, Country
Name=%{geo.country_name}, Country Continent=%{geo.country_continent},
City=%{geo.city}'"
SecRule REQUEST_URI "@rx ^/webmail/[-._a-z0-9]+/entwrfe"
"chain,t:urlDecodeUni,t:lowercase,setvar:tx.testip=194.232.104.141"
SecRule  TX:TESTIP "@geoLookup" "t:none"

Best Regards
Fritz

------------------------------------------------------------------------------
uberSVN's rich system and user administration capabilities and model 
configuration take the hassle out of deploying and managing Subversion and 
the tools developers use with it. Learn more about uberSVN and get a free 
download at:  http://p.sf.net/sfu/wandisco-dev2dev
_______________________________________________
mod-security-users mailing list
mod-security-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
ModSecurity Services from Trustwave's SpiderLabs:
https://www.trustwave.com/spiderLabs.php
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic