[Owasp-modsecurity-core-rule-set] Exception for DoS rules for IP range
barry_pollard at hotmail.com
Tue Feb 17 11:29:13 UTC 2015
Figured out this myself if anyone's interested.
You don't seem to have access to any variables or headers not specified in the rule arguments, so not as simple as adding a new rule filter (especially if you want to use other fields such as X-Forwarded-For header).
The best way I found was to put a rule in before with a ctl to remove the applicable rule:
SecRule REMOTE_ADDR "^127\.0\." "id:4,nolog,pass,ctl:ruleRemoveById=981044"
And similarly for other rules or other criteria (e.g. X-Forward-By headers...etc).
The gives me flexibility to remove the rule based on exact criteria I want rather than complicating the rule itself.
BTW I've found Ivan Ristic's Mod Security Handbook a very good resource for learning Mod Security. Was initially worried it was too old as only covers up to ModSecurity 2.6 but seems to only be small changes since then so still very relevant. Main thing I've noticed is the id is now mandatory since 2.7. And first chapters are available free on feistyduck.com.
> From: barry_pollard at hotmail.com
> To: owasp-modsecurity-core-rule-set at lists.owasp.org
> Date: Fri, 13 Feb 2015 11:36:12 +0000
> Subject: [Owasp-modsecurity-core-rule-set] Exception for DoS rules for IP range
> Is it possible to exclude modsecurity_crs_11_dos_protection.conf rules only for certain IP ranges?
> Our internal test suites are being flagged with this (as expected as they run a lot of tests in a short period of time) so I would like them excluded. However I want the other CRS tests to be included in case we add changes that cause issues with them (and also because ModSecurity is proving quite helpful in identifying issues in our code!).
> I also don't want to have to set SecRuleEngine to DetectionOnly in test, and ignore the DoS errors as there are a lot of them in the logs and could easily lead to real alerts being ignored.
> I could just not include this conf file on test environments but would prefer to keep my production and testing configuration the same, with a few exceptions I have based on environment variables (e.g. to have extra logging on in test). Or is there a way to only include files in Apache based on an environment variable?
> I also tried to use SecRuleRemoveByMsg but think that checks the actual rule message configured in the rule, rather than the one outputted after the rule runs, so below does not work to exclude 127.0.x.x IP addresses for example:
> #Remove internal IPs from DoS blocking so Testing can run scripts
> SecRuleRemoveByMsg "Denial of Service \(DoS\) Attack Identified from 127\.0"
> SecRuleRemoveByMsg "Potential Denial of Service \(DoS\) Attack from 127\.0"
> On a separate but related topic, why are these still marked as "experimental" rules rather than optional ones despite being over two years old? Is there a definition on this? Are there extra risks for the experimental rules that I should be aware of and are they not recommended for production use?
> Finally is there a way of searching the mail archives in case any of this has been asked before as going step by step through the posts on http://lists.owasp.org.pipermail/owasp-modsecurity-core-rule-set/ isn't the easiest.
> Owasp-modsecurity-core-rule-set mailing list
> Owasp-modsecurity-core-rule-set at lists.owasp.org
More information about the Owasp-modsecurity-core-rule-set