[Owasp-modsecurity-core-rule-set] CRS 2.1.1 Brute Force rules not blocking requests

Ryan Barnett RBarnett at trustwave.com
Sun Mar 20 09:56:04 EDT 2011


Are your protected URLs that you define in the 10 file setvars full paths to the login page(s)?  The check in the brute force file checks these variables against the REQUEST_FILENAME of the current transaction. You sanitized your example configs (/protected_url) so I am not sure if you defined a filename or a directory.

An audit log entry would help.

On Mar 20, 2011, at 5:51 AM, Yonah Russ <owasp at yonahruss.com<mailto:owasp at yonahruss.com>> wrote:

Hi,

I'm using 2.5.13 with CRS 2.1.1
I've configured the following:

SecAction "phase:1,t:none,nolog,pass, \
setvar:'tx.brute_force_protected_urls=/protected_url /protected_url2', \
setvar:'tx.brute_force_burst_time_slice=60', \
setvar:'tx.brute_force_counter_threshold=5', \
setvar:'tx.brute_force_block_timeout=300'"

When I test, all the requests get through and not even a message in the logs :(
Here is an excerpt from the debug log:
...
[20/Mar/2011:09:15:56 +0000] [<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>www.site.com/sid#12b7778][rid#19211a0][/protected_url][9<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>] Setting variable: tx.brute_force_protected_urls=/protected_url /protected_url2
[20/Mar/2011:09:15:56 +0000] [<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>www.site.com/sid#12b7778][rid#19211a0][/protected_url][9<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>] Set variable "tx.brute_force_protected_urls" to "/protected_url /protected_url2".
[20/Mar/2011:09:15:56 +0000] [<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>www.site.com/sid#12b7778][rid#19211a0][/protected_url][9<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>] Setting variable: tx.brute_force_burst_time_slice=60
[20/Mar/2011:09:15:56 +0000] [<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>www.site.com/sid#12b7778][rid#19211a0][/protected_url][9<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>] Set variable "tx.brute_force_burst_time_slice" to "60".
[20/Mar/2011:09:15:56 +0000] [<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>www.site.com/sid#12b7778][rid#19211a0][/protected_url][9<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>] Setting variable: tx.brute_force_counter_threshold=5
[20/Mar/2011:09:15:56 +0000] [<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>www.site.com/sid#12b7778][rid#19211a0][/protected_url][9<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>] Set variable "tx.brute_force_counter_threshold" to "5".
[20/Mar/2011:09:15:56 +0000] [<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>www.site.com/sid#12b7778][rid#19211a0][/protected_url][9<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>] Setting variable: tx.brute_force_block_timeout=300
[20/Mar/2011:09:15:56 +0000] [<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>www.site.com/sid#12b7778][rid#19211a0][/protected_url][9<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>] Set variable "tx.brute_force_block_timeout" to "300".
...
[20/Mar/2011:09:15:56 +0000] [<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][4>www.site.com/sid#12b7778][rid#19211a0][/protected_url][4<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][4>] Creating collection (name "global", key "global").
[20/Mar/2011:09:15:56 +0000] [<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>www.site.com/sid#12b7778][rid#19211a0][/protected_url][9<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>] Recorded original collection variable: global.UPDATE_COUNTER = "0"
[20/Mar/2011:09:15:56 +0000] [<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][4>www.site.com/sid#12b7778][rid#19211a0][/protected_url][4<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][4>] Added collection "global" to the list.
[20/Mar/2011:09:15:56 +0000] [<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>www.site.com/sid#12b7778][rid#19211a0][/protected_url][9<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>] Resolved macro %{remote_addr} to: 192.168.1.1
[20/Mar/2011:09:15:56 +0000] [<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>www.site.com/sid#12b7778][rid#19211a0][/protected_url][9<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>] Resolved macro %{tx.ua_hash} to: 3dcbbff145dcf13aa6287b931eb296b39b7541ee
[20/Mar/2011:09:15:56 +0000] [<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>www.site.com/sid#12b7778][rid#19211a0][/protected_url][9<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>] Read variable: name "__expire_KEY", value "1300615158".
[20/Mar/2011:09:15:56 +0000] [<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>www.site.com/sid#12b7778][rid#19211a0][/protected_url][9<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>] Read variable: name "KEY", value "192.168.1.1_3dcbbff145dcf13aa6287b931eb296b39b7541ee".
[20/Mar/2011:09:15:56 +0000] [<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>www.site.com/sid#12b7778][rid#19211a0][/protected_url][9<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>] Read variable: name "TIMEOUT", value "3600".
[20/Mar/2011:09:15:56 +0000] [<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>www.site.com/sid#12b7778][rid#19211a0][/protected_url][9<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>] Read variable: name "__key", value "192.168.1.1_3dcbbff145dcf13aa6287b931eb296b39b7541ee".
[20/Mar/2011:09:15:56 +0000] [<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>www.site.com/sid#12b7778][rid#19211a0][/protected_url][9<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>] Read variable: name "__name", value "ip".
[20/Mar/2011:09:15:56 +0000] [<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>www.site.com/sid#12b7778][rid#19211a0][/protected_url][9<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>] Read variable: name "CREATE_TIME", value "1300607334".
[20/Mar/2011:09:15:56 +0000] [<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>www.site.com/sid#12b7778][rid#19211a0][/protected_url][9<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>] Read variable: name "UPDATE_COUNTER", value "75".
[20/Mar/2011:09:15:56 +0000] [<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>www.site.com/sid#12b7778][rid#19211a0][/protected_url][9<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>] Read variable: name "dos_counter", value "75".
[20/Mar/2011:09:15:56 +0000] [<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>www.site.com/sid#12b7778][rid#19211a0][/protected_url][9<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>] Read variable: name "LAST_UPDATE_TIME", value "1300611558".
[20/Mar/2011:09:15:56 +0000] [<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][4>www.site.com/sid#12b7778][rid#19211a0][/protected_url][4<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][4>] Retrieved collection (name "ip", key "192.168.1.1_3dcbbff145dcf13aa6287b931eb296b39b7541ee").
[20/Mar/2011:09:15:56 +0000] [<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>www.site.com/sid#12b7778][rid#19211a0][/protected_url][9<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>] Recorded original collection variable: ip.UPDATE_COUNTER = "75"
[20/Mar/2011:09:15:56 +0000] [<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][4>www.site.com/sid#12b7778][rid#19211a0][/protected_url][4<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][4>] Added collection "ip" to the list.
...
[20/Mar/2011:09:15:56 +0000] [<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][5>www.site.com/sid#12b7778][rid#19211a0][/protected_url][5<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][5>] Rule 240d78: SecRule "IP:BRUTE_FORCE_BLOCK" "@eq 1" "phase:1,log,noauditlog,chain,block,msg:'Brute Force Attack Identified from %{remote_addr} (%{tx.brute_force_block_counter} hits since last alert)',setvar:ip.brute_force_block_counter=+1"
[20/Mar/2011:09:15:56 +0000] [<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][4>www.site.com/sid#12b7778][rid#19211a0][/protected_url][4<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][4>] Rule returned 0.
[20/Mar/2011:09:15:56 +0000] [<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>www.site.com/sid#12b7778][rid#19211a0][/protected_url][9<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>] No match, chained -> mode NEXT_CHAIN.
[20/Mar/2011:09:15:56 +0000] [<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][4>www.site.com/sid#12b7778][rid#19211a0][/protected_url][4<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][4>] Recipe: Invoking rule 244cd8; [file "/opt/www/conf/modsecurity_crs/base_rules/modsecurity_crs_11_brute_force.conf"] [line "27"].
[20/Mar/2011:09:15:56 +0000] [<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][5>www.site.com/sid#12b7778][rid#19211a0][/protected_url][5<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][5>] Rule 244cd8: SecRule "IP:BRUTE_FORCE_BLOCK" "@eq 1" "phase:1,noauditlog,block,nolog,setvar:ip.brute_force_block_counter=+1"
[20/Mar/2011:09:15:56 +0000] [<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][4>www.site.com/sid#12b7778][rid#19211a0][/protected_url][4<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][4>] Rule returned 0.
[20/Mar/2011:09:15:56 +0000] [<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>www.site.com/sid#12b7778][rid#19211a0][/protected_url][9<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>] No match, not chained -> mode NEXT_RULE.
[20/Mar/2011:09:15:56 +0000] [<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][4>www.site.com/sid#12b7778][rid#19211a0][/protected_url][4<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][4>] Recipe: Invoking rule 250338; [file "/opt/www/conf/modsecurity_crs/base_rules/modsecurity_crs_11_dos_protection.conf"] [line "11"].
[20/Mar/2011:09:15:56 +0000] [<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][5>www.site.com/sid#12b7778][rid#19211a0][/protected_url][5<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][5>] Rule 250338: SecRule "IP:DOS_BLOCK" "@eq 1" "phase:1,log,noauditlog,chain,drop,msg:'Denial of Service (DoS) Attack Identified from %{remote_addr} (%{tx.dos_block_counter} hits since last alert)',setvar:ip.dos_block_counter=+1"
[20/Mar/2011:09:15:56 +0000] [<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][4>www.site.com/sid#12b7778][rid#19211a0][/protected_url][4<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][4>] Rule returned 0.

From what I can see, the request never hits the section of rules which should start counting the requests to the protected url. Instead, it skips to the next ruleset?
Thanks in advance,
Yonah

_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
Owasp-modsecurity-core-rule-set at lists.owasp.org<mailto:Owasp-modsecurity-core-rule-set at lists.owasp.org>
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set

________________________________
This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.


More information about the Owasp-modsecurity-core-rule-set mailing list