Home / Browse / ModSecurity / Mail / Archive

ModSecurity

Email Archive: mod-security-users (read-only)

2003:	_Jan	_Feb	_Mar	_Apr	_May	_Jun (2)	_Jul (17)	_Aug (7)	_Sep (8)	_Oct (11)	_Nov (14)	_Dec (19)
2004:	_Jan (46)	_Feb (14)	_Mar (20)	_Apr (48)	_May (15)	_Jun (20)	_Jul (36)	_Aug (24)	_Sep (31)	_Oct (28)	_Nov (23)	_Dec (12)
2005:	_Jan (69)	_Feb (61)	_Mar (82)	_Apr (53)	_May (26)	_Jun (71)	_Jul (27)	_Aug (52)	_Sep (28)	_Oct (49)	_Nov (104)	_Dec (74)
2006:	_Jan (61)	_Feb (148)	_Mar (82)	_Apr (139)	_May (65)	_Jun (116)	_Jul (92)	_Aug (101)	_Sep (84)	_Oct (103)	_Nov (174)	_Dec (102)
2007:	_Jan (166)	_Feb (161)	_Mar (181)	_Apr (152)	_May (192)	_Jun (250)	_Jul (127)	_Aug (165)	_Sep (97)	_Oct (135)	_Nov (206)	_Dec (56)
2008:	_Jan (160)	_Feb (135)	_Mar (98)	_Apr (89)	_May (115)	_Jun (95)	_Jul (188)	_Aug (167)	_Sep (153)	_Oct (84)	_Nov (82)	_Dec (85)
2009:	_Jan (139)	_Feb (133)	_Mar (128)	_Apr (105)	_May (135)	_Jun (79)	_Jul (92)	_Aug (134)	_Sep (73)	_Oct (112)	_Nov (159)	_Dec (80)
2010:	_Jan (100)	_Feb (116)	_Mar (130)	_Apr (59)	_May (87)	_Jun (59)	_Jul (69)	_Aug (67)	_Sep (82)	_Oct (76)	_Nov (59)	_Dec (34)
2011:	_Jan (84)	_Feb (74)	_Mar (81)	_Apr (94)	_May (188)	_Jun (72)	_Jul (118)	_Aug (109)	_Sep (111)	_Oct (80)	_Nov (51)	_Dec (44)
2012:	_Jan (80)	_Feb (123)	_Mar (46)	_Apr (12)	_May (40)	_Jun (62)	_Jul (95)	_Aug (66)	_Sep (65)	_Oct (53)	_Nov (42)	_Dec (60)
2013:	_Jan (96)	_Feb (96)	_Mar (108)	_Apr (72)	_May (89)	_Jun	_Jul	_Aug	_Sep	_Oct	_Nov	_Dec


S	M	T	W	T	F	S
					1	2
					(4)
3	4	5	6	7	8	9
(1)	(10)	(1)	(1)	(3)	(11)
10	11	12	13	14	15	16
	(4)	(6)	(13)	(6)	(8)
17	18	19	20	21	22	23
	(1)	(1)	(1)	(1)	(2)
24	25	26	27	28	29	30
		(4)	(7)	(5)	(4)

Re: [mod-security-users] Questions about STREAM_INPUT_BODY

From: Christian Bockermann <chris@jw...> - 2011-04-29 07:14

Am 29.04.2011 um 01:49 schrieb Ivan Ristic:

> You missed my point, which is that users don't care and shouldn't need
> to be aware of implementation details. The task at hand (protecting
> applications) is difficult as it is.

Thanks for pointing that out, Ivan. I believe this is what makes a lot of
people struggle, just reminding of the phase-1-rules-inside-Location directives
dilemma.

Chris

Re: [mod-security-users] Questions about STREAM_INPUT_BODY

From: Breno Silva <breno.silva@gm...> - 2011-04-29 13:09

Attachments: Message as HTML

Ivan,

You asked about STREAM*. I answer that must be used to data substitution.
You asked again why don't use the current buffers. And i gave you the
details.
I think it is clear. Please if you want more technical details. Please
submit the questions to devel-list. There is no reason to discuss this
details here.

Thanks

Breno

On Fri, Apr 29, 2011 at 2:14 AM, Christian Bockermann <chris@...:

>
> Am 29.04.2011 um 01:49 schrieb Ivan Ristic:
>
> > You missed my point, which is that users don't care and shouldn't need
> > to be aware of implementation details. The task at hand (protecting
> > applications) is difficult as it is.
>
> Thanks for pointing that out, Ivan. I believe this is what makes a lot of
> people struggle, just reminding of the phase-1-rules-inside-Location
> directives
> dilemma.
>
> Chris
>
> ------------------------------------------------------------------------------
> WhatsUp Gold - Download Free Network Management Software
> The most intuitive, comprehensive, and cost-effective network
> management toolset available today.  Delivers lowest initial
> acquisition cost and overall TCO of any competing solution.
> http://p.sf.net/sfu/whatsupgold-sd
> _______________________________________________
> mod-security-users mailing list
> mod-security-users@...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> ModSecurity Services from Trustwave's SpiderLabs:
> https://www.trustwave.com/spiderLabs.php
>

Re: [mod-security-users] Denial of Service Attacks

From: David Guimaraes <skysbsb@gm...> - 2011-04-29 01:32

Attachments: Message as HTML

Have you tried using apache mod_evasion or mod_limitipconn?

On Wed, Apr 27, 2011 at 11:34 AM, Abdullah, Ayub <Ayub.Abdullah@...:

>  Good Morning,
>
>
>
>
>
>
>
> We are currently using Mod_security 2.5.13 /CRS 2.10 in our environment and
> we were under the impression that Denial of service attacks was a newly
> added feature that allows this functionality.  Well we have been running
> into all sorts of problems getting this set up correctly.  At the moment we
> have enabled xforwarding for on our proxy servers which gives us the ability
> to identify offending IPs that are attacking us.   We would like defend
> against these denial of service attacks using mod_security and the
> httpd-guardian tool.
>
>
>
>
>
>
>
> >From what I have read and assuming httpdguardian is already configured, we
> only need to add one line to the  Apache configuration to deploy it:
>
>
>
>
>
>
>
> SecGuardianLog |/path/to/httpd-guardian
>
>
>
>
>
>
>
> When I insert the above line it blocks all IPs to the site.  How do I
> configure this to blacklist just the offending IP?
>
>
> ------------------------------------------------------------------------------
> WhatsUp Gold - Download Free Network Management Software
> The most intuitive, comprehensive, and cost-effective network
> management toolset available today.  Delivers lowest initial
> acquisition cost and overall TCO of any competing solution.
> http://p.sf.net/sfu/whatsupgold-sd
> _______________________________________________
> mod-security-users mailing list
> mod-security-users@...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> ModSecurity Services from Trustwave's SpiderLabs:
> https://www.trustwave.com/spiderLabs.php
>
>


-- 
David Gomes Guimarães

Re: [mod-security-users] Denial of Service Attacks

From: Josh Amishav-Zlatin <jamuse@gm...> - 2011-04-29 07:17

On Wed, Apr 27, 2011 at 5:34 PM, Abdullah, Ayub <Ayub.Abdullah@...> wrote:

> We are currently using Mod_security 2.5.13 /CRS 2.10 in our environment and
> we were under the impression that Denial of service attacks was a newly
> added feature that allows this functionality.  Well we have been running

Hi Ayub,

It sounds like your referring to the new SecReadStateLimit directive.
For more details on that see:

http://blog.spiderlabs.com/2010/11/advanced-topic-of-the-week-mitigating-slow-http-dos-attacks.html

> into all sorts of problems getting this set up correctly.  At the moment we
> have enabled xforwarding for on our proxy servers which gives us the ability
> to identify offending IPs that are attacking us.   We would like defend
> against these denial of service attacks using mod_security and the
> httpd-guardian tool.

httpd-guardian can help defend against DoS attacks as well, but may be
limited in some scenarios, e.g. multiple clients behind a single
NATted IP.

>
> >From what I have read and assuming httpdguardian is already configured, we
> only need to add one line to the  Apache configuration to deploy it:
>>
> SecGuardianLog |/path/to/httpd-guardian
>
>
> When I insert the above line it blocks all IPs to the site.  How do I
> configure this to blacklist just the offending IP?

What are the $THRESHOLD_1MIN and $THRESHOLD_5MIN variables set to in
httpd-guardian.pl?

--
 - Josh