[Mod-security-developers] CRS 2.1.2 only phase:5 is shown in the log
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
[Mod-security-developers] CRS 2.1.2 only phase:5 is shown in the log
|
From: Oleg G. <ole...@ya...> - 2011-04-11 21:59:58
|
I'm trying to make dos_protection working in CRS 2.1.2 and it seems to me that something is grossly wrong with this version. It looks like the only rules that are executed are the ones in "phase:5", everything else is completely ignored.
I have debug level set to 9 and only rules that are shown in the log file are those that in phase 5 (see below). Please let me know what is wrong.
The collections and variables that are set in modsecurity_crs_10_config.conf are not defined (e.g. IP collection and dos_counter_threshold variable)
This is from modsecurity_crs_10_config.con:
-------------------------------------------
SecAction "phase:1,t:none,nolog,pass, \
setvar:'tx.dos_burst_time_slice=60', \
setvar:'tx.dos_counter_threshold=1', \
setvar:'tx.dos_block_timeout=600'"
...
SecAction "phase:1,t:none,pass,nolog,initcol:global=global,initcol:ip=%{remote_addr}_%{tx.ua_hash}"
...
This is from log file:
---------------------
[11/Apr/2011:12:15:40 --0700] [localhost/sid#b85b0b18][rid#b8c2bba8][/][4] Initialising transaction (txid TaNTXH8AAAEAAFC-AdsAAABJ).
[11/Apr/2011:12:15:40 --0700] [localhost/sid#b85b0b18][rid#b8c2bba8][/][4] Transaction context created (dcfg b78714e0).
[11/Apr/2011:12:15:40 --0700] [localhost/sid#b85b0b18][rid#b8c2bba8][/][4] Processing disabled, skipping (hook request_early).
[11/Apr/2011:12:15:40 --0700] [localhost/sid#b85b0b18][rid#b8c2bba8][/][4] PdfProtect: Not enabled here.
[11/Apr/2011:12:15:40 --0700] [localhost/sid#b85b0b18][rid#b8c2bba8][/][4] Processing disabled, skipping (hook request_late).
[11/Apr/2011:12:15:40 --0700] [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Hook insert_filter: Adding PDF XSS protection output filter (r b8c2bba8).
[11/Apr/2011:12:15:40 --0700] [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Hook insert_filter: Processing disabled, skipping.
[11/Apr/2011:12:15:40 --0700] [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Initialising logging.
[11/Apr/2011:12:15:40 --0700] [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Starting phase LOGGING.
[11/Apr/2011:12:15:40 --0700] [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][9] This phase consists of 36 rule(s).
[11/Apr/2011:12:15:40 --0700] [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Recipe: Invoking rule b7ba1cb0; [file "/etc/apache2/modsecurity-crs/base_rules/modsecurity_crs_11_dos_protection.conf"] [line "24"].
[11/Apr/2011:12:15:40 --0700] [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][5] Rule b7ba1cb0: SecRule "IP:DOS_BLOCK" "@eq 1" "phase:5,t:none,nolog,skipAfter:END_DOS_PROTECTION_CHECKS"
[11/Apr/2011:12:15:40 --0700] [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Rule returned 0.
[11/Apr/2011:12:15:40 --0700] [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][9] No match, not chained -> mode NEXT_RULE.
[11/Apr/2011:12:15:40 --0700] [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Recipe: Invoking rule b7ba2438; [file "/etc/apache2/modsecurity-crs/base_rules/modsecurity_crs_11_dos_protection.conf"] [line "30"].
[11/Apr/2011:12:15:40 --0700] [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][5] Rule b7ba2438: SecRule "REQUEST_BASENAME" "!@rx \\.(jpe?g|png|gif|js|css|ico)$" "phase:5,t:none,log,pass,setvar:ip.dos_counter=+1,logdata:'THRESHOLD= %{tx.dos_counter_threshold}; COUNTER=%{ip.dos_counter}'"
[11/Apr/2011:12:15:40 --0700] [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Transformation completed in 1 usec.
[11/Apr/2011:12:15:40 --0700] [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Executing operator "!rx" with param "\\.(jpe?g|png|gif|js|css|ico)$" against REQUEST_BASENAME.
[11/Apr/2011:12:15:40 --0700] [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][9] Target value: ""
[11/Apr/2011:12:15:40 --0700] [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][6] Ignoring regex captures since "capture" action is not enabled.
[11/Apr/2011:12:15:40 --0700] [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Operator completed in 17 usec.
[11/Apr/2011:12:15:40 --0700] [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][9] Setting variable: ip.dos_counter=+1
[11/Apr/2011:12:15:40 --0700] [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][3] Could not set variable "ip.dos_counter" as the collection does not exist.
[11/Apr/2011:12:15:40 --0700] [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][2] Warning. Match of "rx \\.(jpe?g|png|gif|js|css|ico)$" against "REQUEST_BASENAME" required. [file "/etc/apache2/modsecurity-crs/base_rules/modsecurity_crs_11_dos_protection.conf"] [line "30"] [data "THRESHOLD= ; COUNTER="]
[11/Apr/2011:12:15:40 --0700] [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Rule returned 1.
[11/Apr/2011:12:15:40 --0700] [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][9] Match -> mode NEXT_RULE.
[11/Apr/2011:12:15:40 --0700] [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Recipe: Invoking rule b7ba30f8; [file "/etc/apache2/modsecurity-crs/base_rules/modsecurity_crs_11_dos_protection.conf"] [line "37"].
[11/Apr/2011:12:15:40 --0700] [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][5] Rule b7ba30f8: SecRule "IP:DOS_COUNTER" "@gt %{tx.dos_counter_threshold}" "phase:5,t:none,nolog,pass,t:none,setvar:ip.dos_burst_counter=+1,expirevar:ip.dos_burst_counter=%{tx.dos_burst_time_slice},setvar:!ip.dos_counter"
[11/Apr/2011:12:15:40 --0700] [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Rule returned 0.
[11/Apr/2011:12:15:40 --0700] [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][9] No match, not chained -> mode NEXT_RULE.
[11/Apr/2011:12:15:40 --0700] [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Recipe: Invoking rule b7bca648; [file "/etc/apache2/modsecurity-crs/base_rules/modsecurity_crs_11_dos_protection.conf"] [line "44"].
[11/Apr/2011:12:15:40 --0700] [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][5] Rule b7bca648: SecRule "IP:DOS_BURST_COUNTER" "@ge 1" "phase:5,t:none,log,pass,msg:'Potential Denial of Service (DoS) Attack from %{remote_addr} - # of Request Bursts: %{ip.dos_burst_counter}',setvar:ip.dos_block=1,expirevar:ip.dos_block=%{tx.dos_block_timeout}"
[11/Apr/2011:12:15:40 --0700] [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Rule returned 0.
[11/Apr/2011:12:15:40 --0700] [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][9] No match, not chained -> mode NEXT_RULE.
[11/Apr/2011:12:15:40 --0700] [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Recipe: Invoking rule b85598c8; [file "/etc/apache2/modsecurity-crs/base_rules/modsecurity_crs_60_correlation.conf"] [line "21"].
[11/Apr/2011:12:15:40 --0700] [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][5] Rule b85598c8: SecRule "&TX:'/LEAKAGE\\\\/ERRORS/'" "@ge 1" "phase:5,chain,t:none,log,skipAfter:END_CORRELATION,severity:0,msg:'Correlated Successful Attack Identified: (Total Score: %{tx.anomaly_score}, SQLi=%{TX.SQL_INJECTION_SCORE}, XSS=%{TX.XSS_SCORE}) Inbound Attack (%{tx.inbound_tx_msg} - Inbound Anomaly Score: %{TX.INBOUND_ANOMALY_SCORE}) + Outbound Data Leakage (%{tx.msg} - Outbound Anomaly Score: %{TX.OUTBOUND_ANOMALY_SCORE})'"
[11/Apr/2011:12:15:40 --0700] [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Transformation completed in 1 usec.
[11/Apr/2011:12:15:40 --0700] [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Executing operator "ge" with param "1" against &TX:/LEAKAGE\/ERRORS/.
[11/Apr/2011:12:15:40 --0700] [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][9] Target value: "0"
[11/Apr/2011:12:15:40 --0700] [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Operator completed in 2 usec.
[11/Apr/2011:12:15:40 --0700] [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Rule returned 0.
[11/Apr/2011:12:15:40 --0700] [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][9] No match, chained -> mode NEXT_CHAIN.
[11/Apr/2011:12:15:40 --0700] [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Recipe: Invoking rule b8578910; [file "/etc/apache2/modsecurity-crs/base_rules/modsecurity_crs_60_correlation.conf"] [line "28"].
[11/Apr/2011:12:15:40 --0700] [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][5] Rule b8578910: SecRule "&TX:'/AVAILABILITY\\\\/APP_NOT_AVAIL/'" "@ge 1" "phase:5,chain,t:none,log,skipAfter:END_CORRELATION,severity:1,msg:'Correlated Attack Attempt Identified: (Total Score: %{tx.anomaly_score}, SQLi=%{TX.SQL_INJECTION_SCORE}, XSS=%{TX.XSS_SCORE}) Inbound Attack (%{tx.inbound_tx_msg} Inbound Anomaly Score: %{TX.INBOUND_ANOMALY_SCORE}) + Outbound Application Error (%{tx.msg} - Outbound Anomaly Score: %{TX.OUTBOUND_ANOMALY_SCORE})'"
[11/Apr/2011:12:15:40 --0700] [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Transformation completed in 1 usec.
[11/Apr/2011:12:15:40 --0700] [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Executing operator "ge" with param "1" against &TX:/AVAILABILITY\/APP_NOT_AVAIL/.
[11/Apr/2011:12:15:40 --0700] [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][9] Target value: "0"
[11/Apr/2011:12:15:40 --0700] [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Operator completed in 1 usec.
[11/Apr/2011:12:15:40 --0700] [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Rule returned 0.
[11/Apr/2011:12:15:40 --0700] [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][9] No match, chained -> mode NEXT_CHAIN.
[11/Apr/2011:12:15:40 --0700] [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Recipe: Invoking rule b8574618; [file "/etc/apache2/modsecurity-crs/base_rules/modsecurity_crs_60_correlation.conf"] [line "32"].
[11/Apr/2011:12:15:40 --0700] [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][5] Rule b8574618: SecRule "TX:INBOUND_ANOMALY_SCORE" "@gt 0" "phase:5,chain,t:none,log,noauditlog,skipAfter:END_CORRELATION,msg:'Inbound Anomaly Score (Total Inbound Score: %{TX.INBOUND_ANOMALY_SCORE}, SQLi=%{TX.SQL_INJECTION_SCORE}, XSS=%{TX.XSS_SCORE}): %{tx.inbound_tx_msg}'"
[11/Apr/2011:12:15:40 --0700] [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Rule returned 0.
[11/Apr/2011:12:15:40 --0700] [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][9] No match, chained -> mode NEXT_CHAIN.
[11/Apr/2011:12:15:40 --0700] [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Recipe: Invoking rule b8598b18; [file "/etc/apache2/modsecurity-crs/base_rules/modsecurity_crs_60_correlation.conf"] [line "36"].
[11/Apr/2011:12:15:40 --0700] [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][5] Rule b8598b18: SecRule "TX:INBOUND_ANOMALY_SCORE" "@ge %{tx.inbound_anomaly_score_level}" "phase:5,t:none,log,noauditlog,pass,msg:'Inbound Anomaly Score Exceeded (Total Inbound Score: %{TX.INBOUND_ANOMALY_SCORE}, SQLi=%{TX.SQL_INJECTION_SCORE}, XSS=%{TX.XSS_SCORE}): %{tx.inbound_tx_msg}'"
[11/Apr/2011:12:15:40 --0700] [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Rule returned 0.
[11/Apr/2011:12:15:40 --0700] [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][9] No match, not chained -> mode NEXT_RULE.
[11/Apr/2011:12:15:40 --0700] [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Recipe: Invoking rule b8585558; [file "/etc/apache2/modsecurity-crs/base_rules/modsecurity_crs_60_correlation.conf"] [line "39"].
[11/Apr/2011:12:15:40 --0700] [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][5] Rule b8585558: SecRule "TX:OUTBOUND_ANOMALY_SCORE" "@ge %{tx.outbound_anomaly_score_level}" "phase:5,t:none,log,noauditlog,pass,msg:'Outbound Anomaly Score Exceeded (score %{TX.OUTBOUND_ANOMALY_SCORE}): %{tx.msg}'"
[11/Apr/2011:12:15:40 --0700] [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Rule returned 0.
[11/Apr/2011:12:15:40 --0700] [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][9] No match, not chained -> mode NEXT_RULE.
[11/Apr/2011:12:15:40 --0700] [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Audit log: Not configured to run for this request.
|
