[Owasp-modsecurity-core-rule-set] Problems with Brute Forcerules

danil at whiterose.org danil at whiterose.org
Thu Dec 15 20:11:00 UTC 2011


Hi Ryan, thanks for your prompt reply....

"Those rules are tracking and inspecting data in the IP persistent
collection data.  Do you have the IP collection initiation rules activated
at the end of the modsecurity_crs_10_config.conf file?"

We haven't changed those rules from what was provided in 
modsecurity_crs_10_config.conf.example, which means those rules are
activated.  
They match the rules you pasted in precisely.

Additionally, I've learned that if I replace the variable in 981042 with a 
constant, the rule fires as I would exect.


SecRule IP:BRUTE_FORCE_COUNTER "@gt 10" 
"phase:5,id:'981042',t:none,log,pass,t:none,setvar:ip.brute_force_burst_coun
ter=
+1,expirevar:ip.brute_force_burst_counter=%
{tx.brute_force_burst_time_slice},setvar:!ip.brute_force_counter"


Is there a way to confirm that 981214 is actually setting the variables 
correctly?

Thanks,
Danil



--------------------------------------------------------------------
myhosting.com - Premium Microsoft® Windows® and Linux web and application
hosting - http://link.myhosting.com/myhosting




More information about the Owasp-modsecurity-core-rule-set mailing list