[Owasp-modsecurity-core-rule-set] CRS 2.1.1 Brute Force rules not blocking requests

Ryan Barnett RBarnett at trustwave.com
Sun Mar 20 16:26:35 EDT 2011


The brute force rules that count the # of requests and set the block variable actually run in phase 5 logging.  The section of the debug log you showed was from phase 1 where it is deciding to block or not.  Please check later on in the debug log to see how these rules are working.

On Mar 20, 2011, at 1:40 PM, Yonah Russ <owasp at yonahruss.com<mailto:owasp at yonahruss.com>> wrote:

Hi,

The short answer is that there are are no directories defined - just full paths.

The long answer is that there are also no actual filenames- the requests are handled by a content engine doing friendly urls. The defined urls are the friendly ones- so apache gets a request for <http://www.site.com/protected_url> www.site.com/protected_url<http://www.site.com/protected_url> and uses mod_rewrite to send it to engine.php - Does that make a difference for REQUEST_FILENAME?

Thanks,
Yonah


On Sun, Mar 20, 2011 at 3:56 PM, Ryan Barnett <<mailto:RBarnett at trustwave.com>RBarnett at trustwave.com<mailto:RBarnett at trustwave.com>> wrote:
Are your protected URLs that you define in the 10 file setvars full paths to the login page(s)?  The check in the brute force file checks these variables against the REQUEST_FILENAME of the current transaction. You sanitized your example configs (/protected_url) so I am not sure if you defined a filename or a directory.

An audit log entry would help.

On Mar 20, 2011, at 5:51 AM, Yonah Russ <<mailto:owasp at yonahruss.com>owasp at yonahruss.com<mailto:owasp at yonahruss.com><mailto:<mailto:owasp at yonahruss.com>owasp at yonahruss.com<mailto:owasp at yonahruss.com>>> wrote:

Hi,

I'm using 2.5.13 with CRS 2.1.1
I've configured the following:

SecAction "phase:1,t:none,nolog,pass, \
setvar:'tx.brute_force_protected_urls=/protected_url /protected_url2', \
setvar:'tx.brute_force_burst_time_slice=60', \
setvar:'tx.brute_force_counter_threshold=5', \
setvar:'tx.brute_force_block_timeout=300'"

When I test, all the requests get through and not even a message in the logs :(
Here is an excerpt from the debug log:
...
[20/Mar/2011:09:15:56 +0000] [<<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9><http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>www.site.com/sid#12b7778][rid#19211a0][/protected_url][9<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9><<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>] Setting variable: tx.brute_force_protected_urls=/protected_url /protected_url2
[20/Mar/2011:09:15:56 +0000] [<<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9><http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>www.site.com/sid#12b7778][rid#19211a0][/protected_url][9<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9><<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>] Set variable "tx.brute_force_protected_urls" to "/protected_url /protected_url2".
[20/Mar/2011:09:15:56 +0000] [<<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9><http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>www.site.com/sid#12b7778][rid#19211a0][/protected_url][9<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9><<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>] Setting variable: tx.brute_force_burst_time_slice=60
[20/Mar/2011:09:15:56 +0000] [<<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9><http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>www.site.com/sid#12b7778][rid#19211a0][/protected_url][9<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9><<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>] Set variable "tx.brute_force_burst_time_slice" to "60".
[20/Mar/2011:09:15:56 +0000] [<<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9><http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>www.site.com/sid#12b7778][rid#19211a0][/protected_url][9<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9><<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>] Setting variable: tx.brute_force_counter_threshold=5
[20/Mar/2011:09:15:56 +0000] [<<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9><http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>www.site.com/sid#12b7778][rid#19211a0][/protected_url][9<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9><<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>] Set variable "tx.brute_force_counter_threshold" to "5".
[20/Mar/2011:09:15:56 +0000] [<<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9><http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>www.site.com/sid#12b7778][rid#19211a0][/protected_url][9<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9><<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>] Setting variable: tx.brute_force_block_timeout=300
[20/Mar/2011:09:15:56 +0000] [<<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9><http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>www.site.com/sid#12b7778][rid#19211a0][/protected_url][9<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9><<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>] Set variable "tx.brute_force_block_timeout" to "300".
...
[20/Mar/2011:09:15:56 +0000] [<<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][4>http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][4><http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][4>www.site.com/sid#12b7778][rid#19211a0][/protected_url][4<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][4><<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][4>http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][4>] Creating collection (name "global", key "global").
[20/Mar/2011:09:15:56 +0000] [<<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9><http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>www.site.com/sid#12b7778][rid#19211a0][/protected_url][9<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9><<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>] Recorded original collection variable: global.UPDATE_COUNTER = "0"
[20/Mar/2011:09:15:56 +0000] [<<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][4>http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][4><http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][4>www.site.com/sid#12b7778][rid#19211a0][/protected_url][4<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][4><<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][4>http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][4>] Added collection "global" to the list.
[20/Mar/2011:09:15:56 +0000] [<<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9><http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>www.site.com/sid#12b7778][rid#19211a0][/protected_url][9<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9><<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>] Resolved macro %{remote_addr} to: 192.168.1.1
[20/Mar/2011:09:15:56 +0000] [<<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9><http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>www.site.com/sid#12b7778][rid#19211a0][/protected_url][9<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9><<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>] Resolved macro %{tx.ua_hash} to: 3dcbbff145dcf13aa6287b931eb296b39b7541ee
[20/Mar/2011:09:15:56 +0000] [<<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9><http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>www.site.com/sid#12b7778][rid#19211a0][/protected_url][9<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9><<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>] Read variable: name "__expire_KEY", value "1300615158".
[20/Mar/2011:09:15:56 +0000] [<<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9><http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>www.site.com/sid#12b7778][rid#19211a0][/protected_url][9<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9><<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>] Read variable: name "KEY", value "192.168.1.1_3dcbbff145dcf13aa6287b931eb296b39b7541ee".
[20/Mar/2011:09:15:56 +0000] [<<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9><http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>www.site.com/sid#12b7778][rid#19211a0][/protected_url][9<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9><<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>] Read variable: name "TIMEOUT", value "3600".
[20/Mar/2011:09:15:56 +0000] [<<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9><http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>www.site.com/sid#12b7778][rid#19211a0][/protected_url][9<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9><<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>] Read variable: name "__key", value "192.168.1.1_3dcbbff145dcf13aa6287b931eb296b39b7541ee".
[20/Mar/2011:09:15:56 +0000] [<<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9><http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>www.site.com/sid#12b7778][rid#19211a0][/protected_url][9<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9><<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>] Read variable: name "__name", value "ip".
[20/Mar/2011:09:15:56 +0000] [<<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9><http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>www.site.com/sid#12b7778][rid#19211a0][/protected_url][9<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9><<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>] Read variable: name "CREATE_TIME", value "1300607334".
[20/Mar/2011:09:15:56 +0000] [<<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9><http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>www.site.com/sid#12b7778][rid#19211a0][/protected_url][9<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9><<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>] Read variable: name "UPDATE_COUNTER", value "75".
[20/Mar/2011:09:15:56 +0000] [<<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9><http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>www.site.com/sid#12b7778][rid#19211a0][/protected_url][9<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9><<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>] Read variable: name "dos_counter", value "75".
[20/Mar/2011:09:15:56 +0000] [<<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9><http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>www.site.com/sid#12b7778][rid#19211a0][/protected_url][9<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9><<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>] Read variable: name "LAST_UPDATE_TIME", value "1300611558".
[20/Mar/2011:09:15:56 +0000] [<<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][4>http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][4><http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][4>www.site.com/sid#12b7778][rid#19211a0][/protected_url][4<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][4><<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][4>http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][4>] Retrieved collection (name "ip", key "192.168.1.1_3dcbbff145dcf13aa6287b931eb296b39b7541ee").
[20/Mar/2011:09:15:56 +0000] [<<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9><http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>www.site.com/sid#12b7778][rid#19211a0][/protected_url][9<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9><<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>] Recorded original collection variable: ip.UPDATE_COUNTER = "75"
[20/Mar/2011:09:15:56 +0000] [<<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][4>http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][4><http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][4>www.site.com/sid#12b7778][rid#19211a0][/protected_url][4<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][4><<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][4>http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][4>] Added collection "ip" to the list.
...
[20/Mar/2011:09:15:56 +0000] [<<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][5>http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][5><http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][5>www.site.com/sid#12b7778][rid#19211a0][/protected_url][5<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][5><<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][5>http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][5>] Rule 240d78: SecRule "IP:BRUTE_FORCE_BLOCK" "@eq 1" "phase:1,log,noauditlog,chain,block,msg:'Brute Force Attack Identified from %{remote_addr} (%{tx.brute_force_block_counter} hits since last alert)',setvar:ip.brute_force_block_counter=+1"
[20/Mar/2011:09:15:56 +0000] [<<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][4>http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][4><http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][4>www.site.com/sid#12b7778][rid#19211a0][/protected_url][4<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][4><<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][4>http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][4>] Rule returned 0.
[20/Mar/2011:09:15:56 +0000] [<<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9><http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>www.site.com/sid#12b7778][rid#19211a0][/protected_url][9<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9><<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>] No match, chained -> mode NEXT_CHAIN.
[20/Mar/2011:09:15:56 +0000] [<<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][4>http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][4><http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][4>www.site.com/sid#12b7778][rid#19211a0][/protected_url][4<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][4><<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][4>http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][4>] Recipe: Invoking rule 244cd8; [file "/opt/www/conf/modsecurity_crs/base_rules/modsecurity_crs_11_brute_force.conf"] [line "27"].
[20/Mar/2011:09:15:56 +0000] [<<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][5>http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][5><http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][5>www.site.com/sid#12b7778][rid#19211a0][/protected_url][5<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][5><<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][5>http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][5>] Rule 244cd8: SecRule "IP:BRUTE_FORCE_BLOCK" "@eq 1" "phase:1,noauditlog,block,nolog,setvar:ip.brute_force_block_counter=+1"
[20/Mar/2011:09:15:56 +0000] [<<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][4>http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][4><http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][4>www.site.com/sid#12b7778][rid#19211a0][/protected_url][4<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][4><<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][4>http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][4>] Rule returned 0.
[20/Mar/2011:09:15:56 +0000] [<<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9><http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>www.site.com/sid#12b7778][rid#19211a0][/protected_url][9<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9><<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>] No match, not chained -> mode NEXT_RULE.
[20/Mar/2011:09:15:56 +0000] [<<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][4>http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][4><http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][4>www.site.com/sid#12b7778][rid#19211a0][/protected_url][4<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][4><<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][4>http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][4>] Recipe: Invoking rule 250338; [file "/opt/www/conf/modsecurity_crs/base_rules/modsecurity_crs_11_dos_protection.conf"] [line "11"].
[20/Mar/2011:09:15:56 +0000] [<<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][5>http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][5><http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][5>www.site.com/sid#12b7778][rid#19211a0][/protected_url][5<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][5><<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][5>http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][5>] Rule 250338: SecRule "IP:DOS_BLOCK" "@eq 1" "phase:1,log,noauditlog,chain,drop,msg:'Denial of Service (DoS) Attack Identified from %{remote_addr} (%{tx.dos_block_counter} hits since last alert)',setvar:ip.dos_block_counter=+1"
[20/Mar/2011:09:15:56 +0000] [<<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][4>http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][4><http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][4>www.site.com/sid#12b7778][rid#19211a0][/protected_url][4<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][4><<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][4>http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][4>] Rule returned 0.

>From what I can see, the request never hits the section of rules which should start counting the requests to the protected url. Instead, it skips to the next ruleset?
Thanks in advance,
Yonah

_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
<mailto:Owasp-modsecurity-core-rule-set at lists.owasp.org>Owasp-modsecurity-core-rule-set at lists.owasp.org<mailto:Owasp-modsecurity-core-rule-set at lists.owasp.org><mailto:<mailto:Owasp-modsecurity-core-rule-set at lists.owasp.org>Owasp-modsecurity-core-rule-set at lists.owasp.org<mailto:Owasp-modsecurity-core-rule-set at lists.owasp.org>>
<https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set>https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set

________________________________
This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.

_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
Owasp-modsecurity-core-rule-set at lists.owasp.org<mailto:Owasp-modsecurity-core-rule-set at lists.owasp.org>
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set

________________________________
This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.


More information about the Owasp-modsecurity-core-rule-set mailing list