You are using the "allow" action in your first rule which means that if it matches, the request will be allowed to proceed and no further rules will run until phase:5 logging.  I suggest you use the "pass" action in that first rule if you only want to skip the GeoIP rules and continue with normal rules processing.

-Ryan

From: Yi Li <yi.li26 <at> gmail.com>
Date: Mon, 13 Jun 2011 14:33:29 -0400
To: Brian Rectanus <brectanu <at> gmail.com>, "mod-security-users <at> lists.sourceforge.net" <mod-security-users <at> lists.sourceforge.net>
Subject: Re: [mod-security-users] can not get 'skipAfter' work

Brian: 

  thanks for the feedback; after adding 'phase:1',  'skipafter' at least work for the test rule.

  as i want certain urls to skip the geoip rules, so i modify the rule and now the 'skipafter' breaks again.  it does not trigger. 

  any help would be appreciated. 

 thanks.

 here is the new rules 

SecRule PATH_INFO "! <at> eq url01" \

   "phase:1,skipAfter:AFTER_GEO_IP_CHECK,allow,msg:'skip geoip',logdata:' for uri: %{PATH_INFO}'"

SecMarker GEO_IP_CHECK

SecRule REMOTE_ADDR "^10\.128\.76\.50$" "phase:1,drop,msg:'ip block',logdata:'%{PATH_INFO}'"

SecRule REMOTE_ADDR <at> geoLookup \

"phase:1,chain,log,ctl:ruleEngine=On,ctl:auditEngine=RelevantOnly,msg:'non-us-ca country code logged Geo-IP',logdata:'client ip: %{REMOTE_ADDR},%{GEO:COUNTRY_CODE}'"

SecRule GEO:COUNTRY_CODE "! <at> within US CA"

SecMarker AFTER_GEO_IP_CHECK

On Fri, Jun 10, 2011 at 6:06 PM, Brian Rectanus <brectanu <at> gmail.com> wrote:

You probably just need to add the forgotten "phase:1" to your
skipAfter rule as your default phase must not be 1.

-B

On Fri, Jun 10, 2011 at 2:56 PM, Yi Li <yi.li26 <at> gmail.com> wrote:
>
> i tried to set up rules so that in some circumstances, some rules could be
> bypassed.
> I used the 'skipAfter' directive; it seems that the 'skipAfter' never
> triggers and therefore can not bypass the rules which should be bypassed.
> any help would be appreciated.
> Details:
> the rules are below:
> SecRule REMOTE_ADDR "^10\.128\.76\.50$"
> "skipAfter:AFTER_GEO_IP_CHECK,allow,msg:'skip geoip'"
> SecMarker GEO_IP_CHECK
> SecRule REMOTE_ADDR "^10\.128\.76\.50$" "phase:1,drop,msg:'ip
> block',logdata:'%{PATH_INFO}'"
> SecRule REMOTE_ADDR <at> geoLookup \
> "phase:1,chain,log,ctl:ruleEngine=On,ctl:auditEngine=RelevantOnly,msg:'non-us-ca
> country code logged Geo-IP',logdata:'client ip:
> %{REMOTE_ADDR},%{GEO:COUNTRY_CODE}'"
> SecRule GEO:COUNTRY_CODE "! <at> within US CA"
> SecMarker AFTER_GEO_IP_CHECK
> ## end of rules
> the problem:
> as the rules above, when a client (10.128.76.50) connects, the 'skipAfter'
> should skip the rule block in the 'SecMarker';
> In reality, the request is always caught by the first rule inside
> 'SecMarker'.
> questions:
>
> 0. the modsecurity i use is 2.5.9; i believe 'skipAfter','secmarker' are
> both supported by this version, correct?
> 1. other than using 'skipAfter', 'secmarker', are there other options that i
> can have some url to bypass a block of rules?
> 2. if i want to debug why the 'skipAfter' never triggers, how can i have it
> produce detailed debug info?
> i increase the debuglevel to 9 before the 'skipAfter' rule, but it does not
> have any log related to 'skipAfter'
>
>
>
> On Wed, May 25, 2011 at 2:37 AM, Christian Bockermann <chris <at> jwall.org>
> wrote:
>>
>> Hi Li,
>>
>> thanks for restating your objectives. That's much clearer, now.
>>
>> Am 25.05.2011 um 02:05 schrieb Yi Li:
>>
>> > Ryan, phoenix, thank you to both for the comments.
>> >
>> > it seems I confuse people when I use the sample inspection rule 'block
>> > 10.128.76.50' to illustrate what I want to achieve.  sorry for the
>> > confusion.
>> >
>> > let me explain again what i would like to achieve:
>> >
>> > 1. currently i already have an working rule based on country code from
>> > GeoIP.  now I want to fine-tune the rule so the inspection is applied only
>> > to 2 specific web pages (currently it inspects requests to any of the web
>> > pages protected by modsecurity)..
>> >
>> > 2. still with the country code blocking rule, I want to allow request
>> > from a certain IP range bypass the country code blocking rule.
>>
>> A while back, ModSecurity introduced "markers", which can be used to jump
>> around within
>> the rulesets. Following the structure of your objectives, this might be a
>> straight forward
>> approach by using the markers.
>> In the following I put your Geo IP rule into up a block surrounded by a
>> GEO_IP_CHECK and a
>> AFTER_GEO_IP_CHECK marker. In the beginning I set up a few rules to skip
>> this block of
>> Geo IP checks for the objectives you defined.
>>
>>
>>    SecDefaultAction "phase:1,pass"
>>
>>    # Objective #1: Skip the GeoIP check rules for the specific URLs
>>    #
>>    SecRule REQUEST_URI " <at> eq /your/url1"
>>  skipAfter:AFTER_GEO_IP_CHECK,log,msg:'Skipping GeoIP check for URI
>> %{REQUEST_URI}'
>>    SecRule REQUEST_URI " <at> eq /your/url2"
>>  skipAfter:AFTER_GEO_IP_CHECK,log,msg:'Skipping GeoIP check for URI
>> %{REQUEST_URI}'
>>
>>    # Objective #2: Bypass the GeoIP check for specific remote addresses
>>    #
>>    SecRule REMOTE_ADDR " <at> rx ^192\.168\.30\.\d+$"
>> skipAfter:AFTER_GEO_IP_CHECK,log,msg:'Skipping GeoIP check for local
>> network'
>>
>>
>>    # this marks the beginning of the GEO_IP_CHECK
>>    #
>>    SecMarker GEO_IP_CHECK
>>
>>    # put your GEO IP lookup rule into this block:
>>    #
>>    SecRule REMOTE_ADDR <at> geoLookup \
>>
>> "phase:1,chain,drop,ctl:ruleEngine=DetectionOnly,ctl:auditEngine=On,msg:'banned
>> country code Geo-IP',logdata:'client ip:%{REMOTE_ADDR},%{GEO:COUNTRY_CODE}'"
>>    SecRule GEO:COUNTRY_CODE "! <at> within US"
>>
>>
>>    # this marks the end of the GEO_IP_CHECK
>>    SecMarker AFTER_GEO_IP_CHECK
>>
>>
>> So, the basic idea is to have a block of checks, which is marked with
>> GEO_IP_CHECK and
>> AFTER_GEO_IP_CHECK and write "exception rules" at the beginning, which
>> skip this block
>> for specific URLs and IP addresses.
>>
>> Note, that the GEO_IP_CHECK marker at the beginning is not used, I just
>> put it there
>> for visualizing where the start of the Geo IP block is.
>>
>>
>> Best regards,
>>   Chris
>

> ------------------------------------------------------------------------------
> EditLive Enterprise is the world's most technically advanced content
> authoring tool. Experience the power of Track Changes, Inline Image
> Editing and ensure content is compliant with Accessibility Checking.
> http://p.sf.net/sfu/ephox-dev2dev
> _______________________________________________
> mod-security-users mailing list
> mod-security-users <at> lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> ModSecurity Services from Trustwave's SpiderLabs:
> https://www.trustwave.com/spiderLabs.php
>
>

------------------------------------------------------------------------------ EditLive Enterprise is the world's most technically advanced content authoring tool. Experience the power of Track Changes, Inline Image Editing and ensure content is compliant with Accessibility Checking. http://p.sf.net/sfu/ephox-dev2dev_______________________________________________ mod-security-users mailing list mod-security-users <at> lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/mod-security-users ModSecurity Services from Trustwave's SpiderLabs: https://www.trustwave.com/spiderLabs.php