[Owasp-modsecurity-core-rule-set] Exception for DoS rules for IP range

Barry Pollard barry_pollard at hotmail.com
Fri Feb 13 11:36:12 UTC 2015


Is it possible to exclude modsecurity_crs_11_dos_protection.conf rules only for certain IP ranges?

Our internal test suites are being flagged with this (as expected as they run a lot of tests in a short period of time) so I would like them excluded. However I want the other CRS tests to be included in case we add changes that cause issues with them (and also because ModSecurity is proving quite helpful in identifying issues in our code!).

I also don't want to have to set SecRuleEngine to DetectionOnly in test, and ignore the DoS errors as there are a lot of them in the logs and could easily lead to real alerts being ignored.

I could just not include this conf file on test environments but would prefer to keep my production and testing configuration the same, with a few exceptions I have based on environment variables (e.g. to have extra logging on in test). Or is there a way to only include files in Apache based on an environment variable?

I also tried to use SecRuleRemoveByMsg but think that checks the actual rule message configured in the rule, rather than the one outputted after the rule runs, so below does not work to exclude 127.0.x.x IP addresses for example:

#Remove internal IPs from DoS blocking so Testing can run scripts
SecRuleRemoveByMsg "Denial of Service \(DoS\) Attack Identified from 127\.0"
SecRuleRemoveByMsg "Potential Denial of Service \(DoS\) Attack from 127\.0"

On a separate but related topic, why are these still marked as "experimental" rules rather than optional ones despite being over two years old? Is there a definition on this? Are there extra risks for the experimental rules that I should be aware of and are they not recommended for production use?

Finally is there a way of searching the mail archives in case any of this has been asked before as going step by step through the posts on http://lists.owasp.org.pipermail/owasp-modsecurity-core-rule-set/ isn't the easiest.

Thanks,
Barry 		 	   		  


More information about the Owasp-modsecurity-core-rule-set mailing list