[Owasp-modsecurity-core-rule-set] crs against brute force not working

Sabin Ranjit think.sabin at gmail.com
Fri Aug 22 05:21:18 UTC 2014


naah!! I tried it, its not working for me. I used the value like that but
when i do brute force attempt in the web application with random username
and password it gives me nothing in the mod audit log. I'm using burp suit
pro intruder for testing.
Have you tried it besides wordpress? Wonder what I'm doing wrong.
thanks anyway.

cheers


On Thu, Aug 21, 2014 at 11:43 PM, Wesley Render <wrender at otherdata.com>
wrote:

> I believe you would just set yours like this  (Just include the URL after
> the domain name)….
>
>
>
> #
>
> # -- [[ Brute Force Protection ]]
> ---------------------------------------------------------
>
> #
>
> # If you are using the Brute Force Protection rule set, then uncomment the
> following
>
> # lines and set the following variables:
>
> # - Protected URLs: resources to protect (e.g. login pages) - set to your
> login page
>
> # - Burst Time Slice Interval: time interval window to monitor for bursts
>
> # - Request Threshold: request # threshold to trigger a burst
>
> # - Block Period: temporary block timeout
>
> #
>
> SecAction \
>
>   "id:'900014', \
>
>   phase:1, \
>
>   t:none, \
>
>   setvar:'tx.brute_force_protected_urls=#/user/user/login/#', \
>
>   setvar:'tx.brute_force_burst_time_slice=60', \
>
>   setvar:'tx.brute_force_counter_threshold=10', \
>
>   setvar:'tx.brute_force_block_timeout=300', \
>
>   nolog, \
>
>   pass"
>
>
>
>
>
>
>
> [image: Otherdata_Logo_2011]
>
> *Wesley Render, IT Consultant, RHCSA*
>
> Phone: 1.403.228.1221 ext 201
>
> www.otherdata.com
>
>
>
> [image: findonfacebook] <http://www.facebook.com/otherdata>
>
>
>
> *From:* Sabin Ranjit [mailto:think.sabin at gmail.com]
> *Sent:* August-21-14 10:39 AM
> *To:* Wesley Render
> *Cc:* owasp-modsecurity-core-rule-set at lists.owasp.org
> *Subject:* Re: [Owasp-modsecurity-core-rule-set] crs against brute force
> not working
>
>
>
> hi Wesley,
>
> I'm not using wordpress, I'm try to protect my application made in Yii
> framework and its login url looks like this:
> https://domainname.net/user/user/login/
>
> how can I set brute_force_protected_urls value for this of url ? I tried
> few ways but it gave me syntax error.
>
> thanks,
>
> regards
>
>
>
> On Thu, Aug 21, 2014 at 9:36 PM, Wesley Render <wrender at otherdata.com>
> wrote:
>
> In your modsecurity_crs_10_setup.conf file you need to make sure to
> uncomment, and define the paths for your login page.  You will notice the
> first line of the rule is commented out with a regular pound symbol.  Then
> restart apache.  Here is how mine looks. I set it up for WordPress and
> Drupal.  It has been working well for WordPress brute force attempts:
>
>
>
> #
>
> # -- [[ Brute Force Protection ]]
> ---------------------------------------------------------
>
> #
>
> # If you are using the Brute Force Protection rule set, then uncomment the
> following
>
> # lines and set the following variables:
>
> # - Protected URLs: resources to protect (e.g. login pages) - set to your
> login page
>
> # - Burst Time Slice Interval: time interval window to monitor for bursts
>
> # - Request Threshold: request # threshold to trigger a burst
>
> # - Block Period: temporary block timeout
>
> #
>
> SecAction \
>
>   "id:'900014', \
>
>   phase:1, \
>
>   t:none, \
>
>   setvar:'tx.brute_force_protected_urls=#/wp-login.php# #/user#', \
>
>   setvar:'tx.brute_force_burst_time_slice=60', \
>
>   setvar:'tx.brute_force_counter_threshold=10', \
>
>   setvar:'tx.brute_force_block_timeout=300', \
>
>   nolog, \
>
>   pass"
>
>
>
>
>
> [image: Otherdata_Logo_2011]
>
> *Wesley Render, IT Consultant, RHCSA*
>
> Phone: 1.403.228.1221 ext 201
>
> www.otherdata.com
>
>
>
> [image: findonfacebook] <http://www.facebook.com/otherdata>
>
>
>
>
>
> *From:* owasp-modsecurity-core-rule-set-bounces at lists.owasp.org [mailto:
> owasp-modsecurity-core-rule-set-bounces at lists.owasp.org] *On Behalf Of *Sabin
> Ranjit
> *Sent:* August-21-14 4:17 AM
> *To:* owasp-modsecurity-core-rule-set at lists.owasp.org
> *Subject:* [Owasp-modsecurity-core-rule-set] crs against brute force not
> working
>
>
>
> hi,
>
> im using latest modsecurity rule set and i tried out crs_11_bruteforce
> from experimental rule. But its not working for me. I created a shortlink
> of it in the activated rules directory, restarted the apache and when i
> brute force my web application login page the modsecurity audit log dont
> give me any brute force warnings. what could be the problem? Im using burp
> suite pro version's intruder for brute forcing.
>
> can anyone point to helpful resource that i can follow?
>
> thanks.
>
> regards
>
> sabin
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-modsecurity-core-rule-set/attachments/20140822/6b7b6c24/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.jpg
Type: image/jpeg
Size: 1769 bytes
Desc: not available
URL: <http://lists.owasp.org/pipermail/owasp-modsecurity-core-rule-set/attachments/20140822/6b7b6c24/attachment-0002.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.jpg
Type: image/jpeg
Size: 4437 bytes
Desc: not available
URL: <http://lists.owasp.org/pipermail/owasp-modsecurity-core-rule-set/attachments/20140822/6b7b6c24/attachment-0003.jpg>


More information about the Owasp-modsecurity-core-rule-set mailing list