[Owasp-modsecurity-core-rule-set] CRS 2.1.1 Brute Force rules not blocking requests

Yonah Russ owasp at yonahruss.com
Sun Mar 20 13:40:57 EDT 2011


Hi,

The short answer is that there are are no directories defined - just full
paths.

The long answer is that there are also no actual filenames- the requests are
handled by a content engine doing friendly urls. The defined urls are the
friendly ones- so apache gets a request for www.site.com/protected_url and
uses mod_rewrite to send it to engine.php - Does that make a difference for
REQUEST_FILENAME?

Thanks,
Yonah


On Sun, Mar 20, 2011 at 3:56 PM, Ryan Barnett <RBarnett at trustwave.com>wrote:

> Are your protected URLs that you define in the 10 file setvars full paths
> to the login page(s)?  The check in the brute force file checks these
> variables against the REQUEST_FILENAME of the current transaction. You
> sanitized your example configs (/protected_url) so I am not sure if you
> defined a filename or a directory.
>
> An audit log entry would help.
>
> On Mar 20, 2011, at 5:51 AM, Yonah Russ <owasp at yonahruss.com<mailto:
> owasp at yonahruss.com>> wrote:
>
> Hi,
>
> I'm using 2.5.13 with CRS 2.1.1
> I've configured the following:
>
> SecAction "phase:1,t:none,nolog,pass, \
> setvar:'tx.brute_force_protected_urls=/protected_url /protected_url2', \
> setvar:'tx.brute_force_burst_time_slice=60', \
> setvar:'tx.brute_force_counter_threshold=5', \
> setvar:'tx.brute_force_block_timeout=300'"
>
> When I test, all the requests get through and not even a message in the
> logs :(
> Here is an excerpt from the debug log:
> ...
> [20/Mar/2011:09:15:56 +0000] [<
> http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>
> www.site.com/sid#12b7778][rid#19211a0][/protected_url][9<
> http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>] Setting
> variable: tx.brute_force_protected_urls=/protected_url /protected_url2
> [20/Mar/2011:09:15:56 +0000] [<
> http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>
> www.site.com/sid#12b7778][rid#19211a0][/protected_url][9<
> http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>] Set
> variable "tx.brute_force_protected_urls" to "/protected_url
> /protected_url2".
> [20/Mar/2011:09:15:56 +0000] [<
> http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>
> www.site.com/sid#12b7778][rid#19211a0][/protected_url][9<
> http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>] Setting
> variable: tx.brute_force_burst_time_slice=60
> [20/Mar/2011:09:15:56 +0000] [<
> http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>
> www.site.com/sid#12b7778][rid#19211a0][/protected_url][9<
> http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>] Set
> variable "tx.brute_force_burst_time_slice" to "60".
> [20/Mar/2011:09:15:56 +0000] [<
> http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>
> www.site.com/sid#12b7778][rid#19211a0][/protected_url][9<
> http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>] Setting
> variable: tx.brute_force_counter_threshold=5
> [20/Mar/2011:09:15:56 +0000] [<
> http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>
> www.site.com/sid#12b7778][rid#19211a0][/protected_url][9<
> http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>] Set
> variable "tx.brute_force_counter_threshold" to "5".
> [20/Mar/2011:09:15:56 +0000] [<
> http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>
> www.site.com/sid#12b7778][rid#19211a0][/protected_url][9<
> http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>] Setting
> variable: tx.brute_force_block_timeout=300
> [20/Mar/2011:09:15:56 +0000] [<
> http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>
> www.site.com/sid#12b7778][rid#19211a0][/protected_url][9<
> http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>] Set
> variable "tx.brute_force_block_timeout" to "300".
> ...
> [20/Mar/2011:09:15:56 +0000] [<
> http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][4>
> www.site.com/sid#12b7778][rid#19211a0][/protected_url][4<
> http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][4>] Creating
> collection (name "global", key "global").
> [20/Mar/2011:09:15:56 +0000] [<
> http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>
> www.site.com/sid#12b7778][rid#19211a0][/protected_url][9<
> http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>] Recorded
> original collection variable: global.UPDATE_COUNTER = "0"
> [20/Mar/2011:09:15:56 +0000] [<
> http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][4>
> www.site.com/sid#12b7778][rid#19211a0][/protected_url][4<
> http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][4>] Added
> collection "global" to the list.
> [20/Mar/2011:09:15:56 +0000] [<
> http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>
> www.site.com/sid#12b7778][rid#19211a0][/protected_url][9<
> http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>] Resolved
> macro %{remote_addr} to: 192.168.1.1
> [20/Mar/2011:09:15:56 +0000] [<
> http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>
> www.site.com/sid#12b7778][rid#19211a0][/protected_url][9<
> http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>] Resolved
> macro %{tx.ua_hash} to: 3dcbbff145dcf13aa6287b931eb296b39b7541ee
> [20/Mar/2011:09:15:56 +0000] [<
> http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>
> www.site.com/sid#12b7778][rid#19211a0][/protected_url][9<
> http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>] Read
> variable: name "__expire_KEY", value "1300615158".
> [20/Mar/2011:09:15:56 +0000] [<
> http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>
> www.site.com/sid#12b7778][rid#19211a0][/protected_url][9<
> http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>] Read
> variable: name "KEY", value
> "192.168.1.1_3dcbbff145dcf13aa6287b931eb296b39b7541ee".
> [20/Mar/2011:09:15:56 +0000] [<
> http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>
> www.site.com/sid#12b7778][rid#19211a0][/protected_url][9<
> http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>] Read
> variable: name "TIMEOUT", value "3600".
> [20/Mar/2011:09:15:56 +0000] [<
> http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>
> www.site.com/sid#12b7778][rid#19211a0][/protected_url][9<
> http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>] Read
> variable: name "__key", value
> "192.168.1.1_3dcbbff145dcf13aa6287b931eb296b39b7541ee".
> [20/Mar/2011:09:15:56 +0000] [<
> http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>
> www.site.com/sid#12b7778][rid#19211a0][/protected_url][9<
> http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>] Read
> variable: name "__name", value "ip".
> [20/Mar/2011:09:15:56 +0000] [<
> http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>
> www.site.com/sid#12b7778][rid#19211a0][/protected_url][9<
> http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>] Read
> variable: name "CREATE_TIME", value "1300607334".
> [20/Mar/2011:09:15:56 +0000] [<
> http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>
> www.site.com/sid#12b7778][rid#19211a0][/protected_url][9<
> http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>] Read
> variable: name "UPDATE_COUNTER", value "75".
> [20/Mar/2011:09:15:56 +0000] [<
> http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>
> www.site.com/sid#12b7778][rid#19211a0][/protected_url][9<
> http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>] Read
> variable: name "dos_counter", value "75".
> [20/Mar/2011:09:15:56 +0000] [<
> http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>
> www.site.com/sid#12b7778][rid#19211a0][/protected_url][9<
> http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>] Read
> variable: name "LAST_UPDATE_TIME", value "1300611558".
> [20/Mar/2011:09:15:56 +0000] [<
> http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][4>
> www.site.com/sid#12b7778][rid#19211a0][/protected_url][4<
> http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][4>]
> Retrieved collection (name "ip", key
> "192.168.1.1_3dcbbff145dcf13aa6287b931eb296b39b7541ee").
> [20/Mar/2011:09:15:56 +0000] [<
> http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>
> www.site.com/sid#12b7778][rid#19211a0][/protected_url][9<
> http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>] Recorded
> original collection variable: ip.UPDATE_COUNTER = "75"
> [20/Mar/2011:09:15:56 +0000] [<
> http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][4>
> www.site.com/sid#12b7778][rid#19211a0][/protected_url][4<
> http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][4>] Added
> collection "ip" to the list.
> ...
> [20/Mar/2011:09:15:56 +0000] [<
> http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][5>
> www.site.com/sid#12b7778][rid#19211a0][/protected_url][5<
> http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][5>] Rule
> 240d78: SecRule "IP:BRUTE_FORCE_BLOCK" "@eq 1"
> "phase:1,log,noauditlog,chain,block,msg:'Brute Force Attack Identified from
> %{remote_addr} (%{tx.brute_force_block_counter} hits since last
> alert)',setvar:ip.brute_force_block_counter=+1"
> [20/Mar/2011:09:15:56 +0000] [<
> http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][4>
> www.site.com/sid#12b7778][rid#19211a0][/protected_url][4<
> http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][4>] Rule
> returned 0.
> [20/Mar/2011:09:15:56 +0000] [<
> http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>
> www.site.com/sid#12b7778][rid#19211a0][/protected_url][9<
> http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>] No
> match, chained -> mode NEXT_CHAIN.
> [20/Mar/2011:09:15:56 +0000] [<
> http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][4>
> www.site.com/sid#12b7778][rid#19211a0][/protected_url][4<
> http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][4>] Recipe:
> Invoking rule 244cd8; [file
> "/opt/www/conf/modsecurity_crs/base_rules/modsecurity_crs_11_brute_force.conf"]
> [line "27"].
> [20/Mar/2011:09:15:56 +0000] [<
> http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][5>
> www.site.com/sid#12b7778][rid#19211a0][/protected_url][5<
> http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][5>] Rule
> 244cd8: SecRule "IP:BRUTE_FORCE_BLOCK" "@eq 1"
> "phase:1,noauditlog,block,nolog,setvar:ip.brute_force_block_counter=+1"
> [20/Mar/2011:09:15:56 +0000] [<
> http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][4>
> www.site.com/sid#12b7778][rid#19211a0][/protected_url][4<
> http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][4>] Rule
> returned 0.
> [20/Mar/2011:09:15:56 +0000] [<
> http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>
> www.site.com/sid#12b7778][rid#19211a0][/protected_url][9<
> http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>] No
> match, not chained -> mode NEXT_RULE.
> [20/Mar/2011:09:15:56 +0000] [<
> http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][4>
> www.site.com/sid#12b7778][rid#19211a0][/protected_url][4<
> http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][4>] Recipe:
> Invoking rule 250338; [file
> "/opt/www/conf/modsecurity_crs/base_rules/modsecurity_crs_11_dos_protection.conf"]
> [line "11"].
> [20/Mar/2011:09:15:56 +0000] [<
> http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][5>
> www.site.com/sid#12b7778][rid#19211a0][/protected_url][5<
> http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][5>] Rule
> 250338: SecRule "IP:DOS_BLOCK" "@eq 1"
> "phase:1,log,noauditlog,chain,drop,msg:'Denial of Service (DoS) Attack
> Identified from %{remote_addr} (%{tx.dos_block_counter} hits since last
> alert)',setvar:ip.dos_block_counter=+1"
> [20/Mar/2011:09:15:56 +0000] [<
> http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][4>
> www.site.com/sid#12b7778][rid#19211a0][/protected_url][4<
> http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][4>] Rule
> returned 0.
>
> From what I can see, the request never hits the section of rules which
> should start counting the requests to the protected url. Instead, it skips
> to the next ruleset?
> Thanks in advance,
> Yonah
>
> _______________________________________________
> Owasp-modsecurity-core-rule-set mailing list
> Owasp-modsecurity-core-rule-set at lists.owasp.org<mailto:
> Owasp-modsecurity-core-rule-set at lists.owasp.org>
> https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
>
> ________________________________
> This transmission may contain information that is privileged, confidential,
> and/or exempt from disclosure under applicable law. If you are not the
> intended recipient, you are hereby notified that any disclosure, copying,
> distribution, or use of the information contained herein (including any
> reliance thereon) is STRICTLY PROHIBITED. If you received this transmission
> in error, please immediately contact the sender and destroy the material in
> its entirety, whether in electronic or hard copy format.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-modsecurity-core-rule-set/attachments/20110320/8a6274b0/attachment-0001.html 


More information about the Owasp-modsecurity-core-rule-set mailing list