Are you using modsecurity 2.6.5 ?

Thanks

Breno

On Mon, Jun 4, 2012 at 9:10 PM, leon xu <xcmffl@gmail.com> wrote:
Hello, everyone

    we use modsecurity 2.6 protect against dos attack for some specific pages.
This is the  rule. I test it in my box, it works. But when in some product environment(3000 concurrent connections in worker MPM), it failed.
In the early time I use expiredvar:dos_block every 1800 seconds, as the modsecurity docs suggests. I found the var "dos_block" expired within 1-10 second(I dump the resource db),not 1800. So I changed it with deprecatevar.
But it does not works too.
Does it because of the concurrent problem? 

Thanks.


----------------------------------------------------------------

SecRule REQUEST_URI "^/login.php" \
        "phase:1,capture,t:lowercase,t:urlDecodeUni,pass,nolog,setvar:tx.dos_uri=%{TX.1},skip:1"
SecAction "phase:1,pass,nolog,skipAfter:Dos_Marker"





SecAction "phase:1,pass,nolog,t:none,setvar:tx.real_ip=%{REMOTE_ADDR}"
SecAction "phase:1,nolog,initcol:resource='%{tx.real_ip}/'"



SecRule RESOURCE:SHOULD_LOG "@eq 1" "phase:1,pass,nolog,setvar:resource.should_log=0,skip:2"

#already blocked, nolog here
SecRule RESOURCE:DOS_BLOCKED "@eq 1" \
                "phase:1,deny,nolog,severity:'2',status:403,deprecatevar:resource.dos_blocked=1/1800,skipAfter:Dos_Marker"

SecAction "phase:1,pass,nolog,skip:1"

#log version, logdata is real client ip
SecRule RESOURCE:DOS_BLOCKED "@eq 1" \
                     "phase:1,deny,log,auditlog,severity:'2',msg:'99010',id:'99010001',tag:'9901',status:403,deprecatevar:resource.dos_blocked=1/1800,logdata:%{tx.real_ip},skipAfter:Dos_Marker"

#counter++
SecAction "phase:1,nolog,setvar:resource.dos_request_counter=+1,deprecatevar:resource.dos_request_counter=10/60"


# if counter == max then block
SecRule RESOURCE:DOS_REQUEST_COUNTER "@ge 10" \
            "phase:5,nolog,setvar:resource.dos_request_counter=0,setvar:resource.dos_blocked=1,setvar:resource.should_log=1"

SecMarker Dos_Marker


------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
mod-security-developers mailing list
mod-security-developers@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-developers
ModSecurity Services from Trustwave's SpiderLabs:
https://www.trustwave.com/spiderLabs.php