[Owasp-modsecurity-core-rule-set] crs against brute force not working

Sabin Ranjit think.sabin at gmail.com
Thu Aug 21 16:38:44 UTC 2014


hi Wesley,
I'm not using wordpress, I'm try to protect my application made in Yii
framework and its login url looks like this:
https://domainname.net/user/user/login/
how can I set brute_force_protected_urls value for this of url ? I tried
few ways but it gave me syntax error.

thanks,

regards


On Thu, Aug 21, 2014 at 9:36 PM, Wesley Render <wrender at otherdata.com>
wrote:

> In your modsecurity_crs_10_setup.conf file you need to make sure to
> uncomment, and define the paths for your login page.  You will notice the
> first line of the rule is commented out with a regular pound symbol.  Then
> restart apache.  Here is how mine looks. I set it up for WordPress and
> Drupal.  It has been working well for WordPress brute force attempts:
>
>
>
> #
>
> # -- [[ Brute Force Protection ]]
> ---------------------------------------------------------
>
> #
>
> # If you are using the Brute Force Protection rule set, then uncomment the
> following
>
> # lines and set the following variables:
>
> # - Protected URLs: resources to protect (e.g. login pages) - set to your
> login page
>
> # - Burst Time Slice Interval: time interval window to monitor for bursts
>
> # - Request Threshold: request # threshold to trigger a burst
>
> # - Block Period: temporary block timeout
>
> #
>
> SecAction \
>
>   "id:'900014', \
>
>   phase:1, \
>
>   t:none, \
>
>   setvar:'tx.brute_force_protected_urls=#/wp-login.php# #/user#', \
>
>   setvar:'tx.brute_force_burst_time_slice=60', \
>
>   setvar:'tx.brute_force_counter_threshold=10', \
>
>   setvar:'tx.brute_force_block_timeout=300', \
>
>   nolog, \
>
>   pass"
>
>
>
>
>
> [image: Otherdata_Logo_2011]
>
> *Wesley Render, IT Consultant, RHCSA*
>
> Phone: 1.403.228.1221 ext 201
>
> www.otherdata.com
>
>
>
> [image: findonfacebook] <http://www.facebook.com/otherdata>
>
>
>
>
>
> *From:* owasp-modsecurity-core-rule-set-bounces at lists.owasp.org [mailto:
> owasp-modsecurity-core-rule-set-bounces at lists.owasp.org] *On Behalf Of *Sabin
> Ranjit
> *Sent:* August-21-14 4:17 AM
> *To:* owasp-modsecurity-core-rule-set at lists.owasp.org
> *Subject:* [Owasp-modsecurity-core-rule-set] crs against brute force not
> working
>
>
>
> hi,
>
> im using latest modsecurity rule set and i tried out crs_11_bruteforce
> from experimental rule. But its not working for me. I created a shortlink
> of it in the activated rules directory, restarted the apache and when i
> brute force my web application login page the modsecurity audit log dont
> give me any brute force warnings. what could be the problem? Im using burp
> suite pro version's intruder for brute forcing.
>
> can anyone point to helpful resource that i can follow?
>
> thanks.
>
> regards
>
> sabin
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-modsecurity-core-rule-set/attachments/20140821/a45e8e06/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.jpg
Type: image/jpeg
Size: 1769 bytes
Desc: not available
URL: <http://lists.owasp.org/pipermail/owasp-modsecurity-core-rule-set/attachments/20140821/a45e8e06/attachment-0002.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.jpg
Type: image/jpeg
Size: 4437 bytes
Desc: not available
URL: <http://lists.owasp.org/pipermail/owasp-modsecurity-core-rule-set/attachments/20140821/a45e8e06/attachment-0003.jpg>


More information about the Owasp-modsecurity-core-rule-set mailing list