[Owasp-modsecurity-core-rule-set] crs against brute force not working

Sabin Ranjit think.sabin at gmail.com
Tue Aug 26 06:00:57 UTC 2014


sorry, I checked out everything you have mentioned, it didnt work out for
me. :(

thanks for your replies,

regards,


On Fri, Aug 22, 2014 at 9:40 PM, Wesley Render <wrender at otherdata.com>
wrote:

> No. I have not actually tested it with other web software.  Maybe try the
> following?
>
>
>
> ·         Make sure the modsecurity_crs_11_brute_force.conf is loading
> properly .  Maybe you have made a mistake with symbolic link or putting the
> file in wrong folder.
>
> ·         Make sure you have uncommented the brute force rule in
> modsecurity_crs_10_setup.conf (By default it is commented out)
>
> ·         Maybe try changing your URL to include your actual web login
> file?  I know they show it without pound symbols on each end.  Like this:
> setvar:'tx.brute_force_protected_urls=/wp-login.php', \
>
>
>
>
>
> [image: Otherdata_Logo_2011]
>
> *Wesley Render, IT Consultant, RHCSA*
>
> Phone: 1.403.228.1221 ext 201
>
> www.otherdata.com
>
>
>
> [image: findonfacebook] <http://www.facebook.com/otherdata>
>
>
>
> *From:* Sabin Ranjit [mailto:think.sabin at gmail.com]
> *Sent:* August-21-14 11:21 PM
>
> *To:* Wesley Render
> *Cc:* owasp-modsecurity-core-rule-set at lists.owasp.org
> *Subject:* Re: [Owasp-modsecurity-core-rule-set] crs against brute force
> not working
>
>
>
> naah!! I tried it, its not working for me. I used the value like that but
> when i do brute force attempt in the web application with random username
> and password it gives me nothing in the mod audit log. I'm using burp suit
> pro intruder for testing.
>
> Have you tried it besides wordpress? Wonder what I'm doing wrong.
>
> thanks anyway.
>
> cheers
>
>
>
> On Thu, Aug 21, 2014 at 11:43 PM, Wesley Render <wrender at otherdata.com>
> wrote:
>
> I believe you would just set yours like this  (Just include the URL after
> the domain name)….
>
>
>
> #
>
> # -- [[ Brute Force Protection ]]
> ---------------------------------------------------------
>
> #
>
> # If you are using the Brute Force Protection rule set, then uncomment the
> following
>
> # lines and set the following variables:
>
> # - Protected URLs: resources to protect (e.g. login pages) - set to your
> login page
>
> # - Burst Time Slice Interval: time interval window to monitor for bursts
>
> # - Request Threshold: request # threshold to trigger a burst
>
> # - Block Period: temporary block timeout
>
> #
>
> SecAction \
>
>   "id:'900014', \
>
>   phase:1, \
>
>   t:none, \
>
>   setvar:'tx.brute_force_protected_urls=#/user/user/login/#', \
>
>   setvar:'tx.brute_force_burst_time_slice=60', \
>
>   setvar:'tx.brute_force_counter_threshold=10', \
>
>   setvar:'tx.brute_force_block_timeout=300', \
>
>   nolog, \
>
>   pass"
>
>
>
>
>
>
>
> [image: Otherdata_Logo_2011]
>
> *Wesley Render, IT Consultant, RHCSA*
>
> Phone: 1.403.228.1221 ext 201
>
> www.otherdata.com
>
>
>
> [image: findonfacebook] <http://www.facebook.com/otherdata>
>
>
>
> *From:* Sabin Ranjit [mailto:think.sabin at gmail.com]
> *Sent:* August-21-14 10:39 AM
> *To:* Wesley Render
> *Cc:* owasp-modsecurity-core-rule-set at lists.owasp.org
> *Subject:* Re: [Owasp-modsecurity-core-rule-set] crs against brute force
> not working
>
>
>
> hi Wesley,
>
> I'm not using wordpress, I'm try to protect my application made in Yii
> framework and its login url looks like this:
> https://domainname.net/user/user/login/
>
> how can I set brute_force_protected_urls value for this of url ? I tried
> few ways but it gave me syntax error.
>
> thanks,
>
> regards
>
>
>
> On Thu, Aug 21, 2014 at 9:36 PM, Wesley Render <wrender at otherdata.com>
> wrote:
>
> In your modsecurity_crs_10_setup.conf file you need to make sure to
> uncomment, and define the paths for your login page.  You will notice the
> first line of the rule is commented out with a regular pound symbol.  Then
> restart apache.  Here is how mine looks. I set it up for WordPress and
> Drupal.  It has been working well for WordPress brute force attempts:
>
>
>
> #
>
> # -- [[ Brute Force Protection ]]
> ---------------------------------------------------------
>
> #
>
> # If you are using the Brute Force Protection rule set, then uncomment the
> following
>
> # lines and set the following variables:
>
> # - Protected URLs: resources to protect (e.g. login pages) - set to your
> login page
>
> # - Burst Time Slice Interval: time interval window to monitor for bursts
>
> # - Request Threshold: request # threshold to trigger a burst
>
> # - Block Period: temporary block timeout
>
> #
>
> SecAction \
>
>   "id:'900014', \
>
>   phase:1, \
>
>   t:none, \
>
>   setvar:'tx.brute_force_protected_urls=#/wp-login.php# #/user#', \
>
>   setvar:'tx.brute_force_burst_time_slice=60', \
>
>   setvar:'tx.brute_force_counter_threshold=10', \
>
>   setvar:'tx.brute_force_block_timeout=300', \
>
>   nolog, \
>
>   pass"
>
>
>
>
>
> [image: Otherdata_Logo_2011]
>
> *Wesley Render, IT Consultant, RHCSA*
>
> Phone: 1.403.228.1221 ext 201
>
> www.otherdata.com
>
>
>
> [image: findonfacebook] <http://www.facebook.com/otherdata>
>
>
>
>
>
> *From:* owasp-modsecurity-core-rule-set-bounces at lists.owasp.org [mailto:
> owasp-modsecurity-core-rule-set-bounces at lists.owasp.org] *On Behalf Of *Sabin
> Ranjit
> *Sent:* August-21-14 4:17 AM
> *To:* owasp-modsecurity-core-rule-set at lists.owasp.org
> *Subject:* [Owasp-modsecurity-core-rule-set] crs against brute force not
> working
>
>
>
> hi,
>
> im using latest modsecurity rule set and i tried out crs_11_bruteforce
> from experimental rule. But its not working for me. I created a shortlink
> of it in the activated rules directory, restarted the apache and when i
> brute force my web application login page the modsecurity audit log dont
> give me any brute force warnings. what could be the problem? Im using burp
> suite pro version's intruder for brute forcing.
>
> can anyone point to helpful resource that i can follow?
>
> thanks.
>
> regards
>
> sabin
>
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-modsecurity-core-rule-set/attachments/20140826/722fe897/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.jpg
Type: image/jpeg
Size: 1769 bytes
Desc: not available
URL: <http://lists.owasp.org/pipermail/owasp-modsecurity-core-rule-set/attachments/20140826/722fe897/attachment-0002.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.jpg
Type: image/jpeg
Size: 4437 bytes
Desc: not available
URL: <http://lists.owasp.org/pipermail/owasp-modsecurity-core-rule-set/attachments/20140826/722fe897/attachment-0003.jpg>


More information about the Owasp-modsecurity-core-rule-set mailing list