Re: [mod-security-users] ip collection does not exist
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] ip collection does not exist
|
From: Jamuse <ja...@gm...> - 2011-01-26 09:53:13
|
Hi Yonah,
It looks like the IP collection does not exist. You need to create the
IP collection via something like:
SecAction phase:1,nolog,pass,initcol:IP=%{REMOTE_ADDR}
If your using the CRS, I think the 10 config file should initialize it via:
SecAction "phase:1,t:none,pass,nolog,initcol:global=global,initcol:ip=%{remote_addr}_%{tx.ua_hash}"
--
- Josh
On Wed, Jan 26, 2011 at 11:15 AM, Yonah Russ <mod...@yo...> wrote:
> Hi,
>
> I'm not sure if this is a CRS issue or a mod_security issue.
> I'm running Mod_Security 2.5.13 compiled on SPARC with Sun Studio, Apache
> 2.2.17, Solaris 10 with CRS 2.1.1
> Apache is running as user webservd and webservd is the owner of the
> modsecurity_crs directory and the files in it.
>
> I have copied the following rules into the base_rules directory:
> modsecurity_crs_11_dos_protection.conf
> modsecurity_crs_11_slow_dos_protection.conf
>
> I've uncommented the following section in modsecurity_crs_10_config.conf
> SecAction "phase:1,t:none,nolog,pass, \
> setvar:'tx.dos_burst_time_slice=60', \
> setvar:'tx.dos_counter_threshold=100', \
> setvar:'tx.dos_block_timeout=600'"
>
> In the debug log I get the error: Could not set variable "ip.dos_counter" as
> the collection does not exist.
>
> Here is the level 9 debug up to that point (some details obfuscated)
>
> [26/Jan/2011:08:18:13 +0000]
> [192.168.1.1/sid#9caf8][rid#1630cf0][/index.php][4] Initialising transaction
> (txid TT-YxKwVByQAAC6ZJSEAAAAC).
> [26/Jan/2011:08:18:13 +0000]
> [192.168.1.1/sid#9caf8][rid#1630cf0][/index.php][4] Transaction context
> created (dcfg de7f0).
> [26/Jan/2011:08:18:13 +0000]
> [192.168.1.1/sid#9caf8][rid#1630cf0][/index.php][4] Processing disabled,
> skipping (hook request_early).
> [26/Jan/2011:08:18:13 +0000]
> [192.168.1.1/sid#9caf8][rid#1630cf0][/index.php][4] PdfProtect: Not enabled
> here.
> [26/Jan/2011:08:18:13 +0000]
> [192.168.1.1/sid#9caf8][rid#1630cf0][/index.php][4] Processing disabled,
> skipping (hook request_late).
> [26/Jan/2011:08:18:13 +0000]
> [192.168.1.1/sid#9caf8][rid#1630cf0][/index.php][4] Hook insert_filter:
> Adding PDF XSS protection output filter (r 1630cf0).
> [26/Jan/2011:08:18:13 +0000]
> [192.168.1.1/sid#9caf8][rid#1630cf0][/index.php][4] Hook insert_filter:
> Processing disabled, skipping.
> [26/Jan/2011:08:18:13 +0000]
> [192.168.1.1/sid#9caf8][rid#1630cf0][/index.php][4] Initialising logging.
> [26/Jan/2011:08:18:13 +0000]
> [192.168.1.1/sid#9caf8][rid#1630cf0][/index.php][4] Starting phase LOGGING.
> [26/Jan/2011:08:18:13 +0000]
> [192.168.1.1/sid#9caf8][rid#1630cf0][/index.php][9] This phase consists of
> 40 rule(s).
> [26/Jan/2011:08:18:13 +0000]
> [192.168.1.1/sid#9caf8][rid#1630cf0][/index.php][4] Recipe: Invoking rule
> 256478; [file
> "/var/www/conf/modsecurity_crs/base_rules/modsecurity_crs_11_dos_protection.conf"]
> [line "24"].
> [26/Jan/2011:08:18:13 +0000]
> [192.168.1.1/sid#9caf8][rid#1630cf0][/index.php][5] Rule 256478: SecRule
> "IP:DOS_BLOCK" "@eq 1"
> "phase:5,noauditlog,t:none,nolog,skipAfter:END_DOS_PROTECTION_CHECKS"
> [26/Jan/2011:08:18:13 +0000]
> [192.168.1.1/sid#9caf8][rid#1630cf0][/index.php][4] Rule returned 0.
> [26/Jan/2011:08:18:13 +0000]
> [192.168.1.1/sid#9caf8][rid#1630cf0][/index.php][9] No match, not chained ->
> mode NEXT_RULE.
> [26/Jan/2011:08:18:13 +0000]
> [192.168.1.1/sid#9caf8][rid#1630cf0][/index.php][4] Recipe: Invoking rule
> 256c28; [file
> "/var/www/conf/modsecurity_crs/base_rules/modsecurity_crs_11_dos_protection.conf"]
> [line "30"].
> [26/Jan/2011:08:18:13 +0000]
> [192.168.1.1/sid#9caf8][rid#1630cf0][/index.php][5] Rule 256c28: SecRule
> "REQUEST_BASENAME" "!@rx \\.(jpe?g|png|gif|js|css|ico)$"
> "phase:5,noauditlog,t:none,nolog,pass,setvar:ip.dos_counter=+1"
> [26/Jan/2011:08:18:13 +0000]
> [192.168.1.1/sid#9caf8][rid#1630cf0][/index.php][4] Transformation completed
> in 7 usec.
> [26/Jan/2011:08:18:13 +0000]
> [192.168.1.1/sid#9caf8][rid#1630cf0][/index.php][4] Executing operator "!rx"
> with param "\\.(jpe?g|png|gif|js|css|ico)$" against REQUEST_BASENAME.
> [26/Jan/2011:08:18:13 +0000]
> [192.168.1.1/sid#9caf8][rid#1630cf0][/index.php][9] Target value:
> "index.php"
> [26/Jan/2011:08:18:13 +0000]
> [192.168.1.1/sid#9caf8][rid#1630cf0][/index.php][6] Ignoring regex captures
> since "capture" action is not enabled.
> [26/Jan/2011:08:18:13 +0000]
> [192.168.1.1/sid#9caf8][rid#1630cf0][/index.php][4] Operator completed in
> 189 usec.
> [26/Jan/2011:08:18:13 +0000]
> [192.168.1.1/sid#9caf8][rid#1630cf0][/index.php][9] Setting variable:
> ip.dos_counter=+1
> [26/Jan/2011:08:18:13 +0000]
> [192.168.1.1/sid#9caf8][rid#1630cf0][/index.php][3] Could not set variable
> "ip.dos_counter" as the collection does not exist.
>
> Any ideas?
> Thanks,
> Yonah
>
> ------------------------------------------------------------------------------
> Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)!
> Finally, a world-class log management solution at an even better price-free!
> Download using promo code Free_Logger_4_Dev2Dev. Offer expires
> February 28th, so secure your free ArcSight Logger TODAY!
> http://p.sf.net/sfu/arcsight-sfd2d
> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Appliances, Rule Sets and Support:
> http://www.modsecurity.org/breach/index.html
>
>
|
