> -----Original Message-----

> From: mod-security-users-bounces@lists.sourceforge.net [mailto:mod-

> security-users-bounces@lists.sourceforge.net] On Behalf Of Russ Lavoy

> Sent: Wednesday, January 30, 2008 11:14 AM

> To: mod-security-users@lists.sourceforge.net

> Subject: [mod-security-users] Rate Limit POST events

>

> Is there a way to limit post events in modsecurity to

> about 30 a second to remove the spamming of forums and

> such?

>

> Below is what I used to rate limit based on IP.  But I

> am not sure how to rate limit based on the POST count.

>  Can I get some help here?

>

> SecAction

> phase:1,nolog,pass,initcol:ip=%{REMOTE_ADDR}, \

> setvar:request_count=+1,expirevar:request_count=86400

> SecRule IP:REQUEST_COUNT "@ge 2000" \

> "phase:1,pass,nolog,setvar:ip.blocked=1, \

> expirevar:ip.blocked=86400

> SecRule IP:BLOCKED "@eq 1" "phase:1,deny,log”

>

[Ryan Barnett] You can pretty much keep the same rule set format that you currently have, which creates the IP collection, and then just add a few rules to it.  There is one update that it looks like you need to make – when you use setvar/expirevar and you want it to be placed inside the IP collection then it needs to be “setvar:ip.request_count=+1”.  The way that it is currently, it would create a TX variable called TX:REQUEST_COUNT.  

 

This is not tested, but try this -

 

###############

SecAction

phase:1,nolog,pass,initcol:ip=%{REMOTE_ADDR}, \

setvar:ip.request_count=+1,expirevar:ip.request_count=86400

 

SecRule REQUEST_METHOD "^POST$" "phase:1,t:none,pass,nolog,setvar:ip.post_request_count=+1,expirevar:ip.post_request_count=30"

SecRule IP:POST_REQUEST_COUNT "@gt 1" "phase:1,t:none,pass,nolog,setvar:ip.blocked=1"

 

SecRule IP:REQUEST_COUNT "@ge 2000" \

"phase:1,pass,nolog,setvar:ip.blocked=1, \

expirevar:ip.blocked=86400

SecRule IP:BLOCKED "@eq 1" "phase:1,deny,log”

###############

 

The two rules in the middle should identify post requests and then set the appropriate IP collection variables to be evaluated and the same ip.blocked variable will be set if a user post more than 1 post within a 30 sec timeframe.

 

Let me know if this works.

 

-Ryan