Re: [Mod-security-developers] CRS 2.1.2 only phase:5 is shown in the log

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Ryan,
Thank you for the quick response. Here is the information that you've requested:

Apache/2.2.17 (Debian)
modsecurity-apache_2.5.13

The *.conf files are attached as well. I'll try CRS 2.1.3 and let you know if it 
works.

Please let me know if you have a fix,
Oleg.

----- Original Message ----
> From: Ryan Barnett <RBa...@tr...>
> To: "ol...@gr..." <ol...@gr...>; 
>"mod...@li..." 
><mod...@li...>
> Sent: Mon, April 11, 2011 3:28:38 PM
> Subject: Re: [Mod-security-developers] CRS 2.1.2 only phase:5 is shown in the 
>log
> 
> Oleg,
> 
> What Apache and ModSecurity versions are you using?
> 
> Can you  try and sync from SVN and try the 2.1.3 version of CRS?
> 
> This does look  add as it is essentially skipping phases 1-4 and then
> picking up rules in  phase:5.  Can you send your
> modsecurity_crs_10_config.conf  file?
> 
> -Ryan
> 
> On 4/11/11 5:59 PM, "Oleg Gryb" <ole...@ya...>  wrote:
> 
> >I'm trying to make dos_protection working in CRS 2.1.2 and it  seems to me
> >that something is grossly wrong with this version. It looks  like the only
> >rules that are executed are the ones in "phase:5",  everything else is
> >completely ignored.
> >
> >I have debug level  set to 9 and only rules that are shown in the log file
> >are those that in  phase 5 (see below). Please let me know what is wrong.
> >
> >The  collections and variables that are set in
> >modsecurity_crs_10_config.conf  are not defined (e.g. IP collection and
> >dos_counter_threshold  variable)
> >
> >This is from  modsecurity_crs_10_config.con:
> >-------------------------------------------
> >SecAction  "phase:1,t:none,nolog,pass, \
> >setvar:'tx.dos_burst_time_slice=60',  \
> >setvar:'tx.dos_counter_threshold=1',  \
> >setvar:'tx.dos_block_timeout=600'"
> >...
> >SecAction
> >"phase:1,t:none,pass,nolog,initcol:global=global,initcol:ip=%{remote_addr}
> >_%{tx.ua_hash}"
> >...
> >
> >This  is from log file:
> >---------------------
> >[11/Apr/2011:12:15:40  --0700]
> >[localhost/sid#b85b0b18][rid#b8c2bba8][/][4] Initialising  transaction
> >(txid TaNTXH8AAAEAAFC-AdsAAABJ).
> >[11/Apr/2011:12:15:40  --0700]
> >[localhost/sid#b85b0b18][rid#b8c2bba8][/][4] Transaction context  created
> >(dcfg b78714e0).
> >[11/Apr/2011:12:15:40  --0700]
> >[localhost/sid#b85b0b18][rid#b8c2bba8][/][4] Processing  disabled,
> >skipping (hook request_early).
> >[11/Apr/2011:12:15:40  --0700]
> >[localhost/sid#b85b0b18][rid#b8c2bba8][/][4] PdfProtect: Not  enabled here.
> >[11/Apr/2011:12:15:40  --0700]
> >[localhost/sid#b85b0b18][rid#b8c2bba8][/][4] Processing  disabled,
> >skipping (hook request_late).
> >[11/Apr/2011:12:15:40  --0700]
> >[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4]  Hook
> >insert_filter: Adding PDF XSS protection output filter (r  b8c2bba8).
> >[11/Apr/2011:12:15:40  --0700]
> >[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4]  Hook
> >insert_filter: Processing disabled,  skipping.
> >[11/Apr/2011:12:15:40  --0700]
> >[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4]  Initialising
> >logging.
> >[11/Apr/2011:12:15:40  --0700]
> >[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Starting  phase
> >LOGGING.
> >[11/Apr/2011:12:15:40  --0700]
> >[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][9] This  phase
> >consists of 36 rule(s).
> >[11/Apr/2011:12:15:40  --0700]
> >[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Recipe:  Invoking
> >rule b7ba1cb0;  [file
> >"/etc/apache2/modsecurity-crs/base_rules/modsecurity_crs_11_dos_protection
> >.conf"]  [line "24"].
> >[11/Apr/2011:12:15:40  --0700]
> >[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][5] Rule  b7ba1cb0:
> >SecRule "IP:DOS_BLOCK" "@eq  1"
> >"phase:5,t:none,nolog,skipAfter:END_DOS_PROTECTION_CHECKS"
> >[11/Apr/2011:12:15:40  --0700]
> >[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Rule  returned 0.
> >[11/Apr/2011:12:15:40  --0700]
> >[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][9] No match,  not
> >chained -> mode NEXT_RULE.
> >[11/Apr/2011:12:15:40  --0700]
> >[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Recipe:  Invoking
> >rule b7ba2438;  [file
> >"/etc/apache2/modsecurity-crs/base_rules/modsecurity_crs_11_dos_protection
> >.conf"]  [line "30"].
> >[11/Apr/2011:12:15:40  --0700]
> >[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][5] Rule  b7ba2438:
> >SecRule "REQUEST_BASENAME" "!@rx  \\.(jpe?g|png|gif|js|css|ico)$"
> >"phase:5,t:none,log,pass,setvar:ip.dos_counter=+1,logdata:'THRESHOLD=
> >%{tx.dos_counter_threshold};  COUNTER=%{ip.dos_counter}'"
> >[11/Apr/2011:12:15:40  --0700]
> >[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4]  Transformation
> >completed in 1 usec.
> >[11/Apr/2011:12:15:40  --0700]
> >[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Executing  operator
> >"!rx" with param "\\.(jpe?g|png|gif|js|css|ico)$"  against
> >REQUEST_BASENAME.
> >[11/Apr/2011:12:15:40  --0700]
> >[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][9] Target  value: ""
> >[11/Apr/2011:12:15:40  --0700]
> >[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][6] Ignoring  regex
> >captures since "capture" action is not  enabled.
> >[11/Apr/2011:12:15:40  --0700]
> >[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Operator  completed
> >in 17 usec.
> >[11/Apr/2011:12:15:40  --0700]
> >[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][9] Setting  variable:
> >ip.dos_counter=+1
> >[11/Apr/2011:12:15:40  --0700]
> >[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][3] Could not  set
> >variable "ip.dos_counter" as the collection does not  exist.
> >[11/Apr/2011:12:15:40  --0700]
> >[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][2] Warning.  Match of
> >"rx \\.(jpe?g|png|gif|js|css|ico)$" against "REQUEST_BASENAME"  required.
> >[file
> >"/etc/apache2/modsecurity-crs/base_rules/modsecurity_crs_11_dos_protection
> >.conf"]  [line "30"] [data "THRESHOLD= ; COUNTER="]
> >[11/Apr/2011:12:15:40  --0700]
> >[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Rule  returned 1.
> >[11/Apr/2011:12:15:40  --0700]
> >[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][9] Match  -> mode
> >NEXT_RULE.
> >[11/Apr/2011:12:15:40  --0700]
> >[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Recipe:  Invoking
> >rule b7ba30f8;  [file
> >"/etc/apache2/modsecurity-crs/base_rules/modsecurity_crs_11_dos_protection
> >.conf"]  [line "37"].
> >[11/Apr/2011:12:15:40  --0700]
> >[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][5] Rule  b7ba30f8:
> >SecRule "IP:DOS_COUNTER" "@gt  %{tx.dos_counter_threshold}"
> >"phase:5,t:none,nolog,pass,t:none,setvar:ip.dos_burst_counter=+1,expirevar
> >:ip.dos_burst_counter=%{tx.dos_burst_time_slice},setvar:!ip.dos_counter"
> >[11/Apr/2011:12:15:40  --0700]
> >[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Rule  returned 0.
> >[11/Apr/2011:12:15:40  --0700]
> >[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][9] No match,  not
> >chained -> mode NEXT_RULE.
> >[11/Apr/2011:12:15:40  --0700]
> >[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Recipe:  Invoking
> >rule b7bca648;  [file
> >"/etc/apache2/modsecurity-crs/base_rules/modsecurity_crs_11_dos_protection
> >.conf"]  [line "44"].
> >[11/Apr/2011:12:15:40  --0700]
> >[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][5] Rule  b7bca648:
> >SecRule "IP:DOS_BURST_COUNTER" "@ge  1"
> >"phase:5,t:none,log,pass,msg:'Potential Denial of Service (DoS)  Attack
> >from %{remote_addr} - # of Request  Bursts:
> >%{ip.dos_burst_counter}',setvar:ip.dos_block=1,expirevar:ip.dos_block=%{tx
> >.dos_block_timeout}"
> >[11/Apr/2011:12:15:40  --0700]
> >[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Rule  returned 0.
> >[11/Apr/2011:12:15:40  --0700]
> >[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][9] No match,  not
> >chained -> mode NEXT_RULE.
> >[11/Apr/2011:12:15:40  --0700]
> >[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Recipe:  Invoking
> >rule b85598c8;  [file
> >"/etc/apache2/modsecurity-crs/base_rules/modsecurity_crs_60_correlation.co
> >nf"]  [line "21"].
> >[11/Apr/2011:12:15:40  --0700]
> >[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][5] Rule  b85598c8:
> >SecRule "&TX:'/LEAKAGE\\\\/ERRORS/'" "@ge  1"
> >"phase:5,chain,t:none,log,skipAfter:END_CORRELATION,severity:0,msg:'Correl
> >ated  Successful Attack Identified: (Total Score:  %{tx.anomaly_score},
> >SQLi=%{TX.SQL_INJECTION_SCORE}, XSS=%{TX.XSS_SCORE})  Inbound Attack
> >(%{tx.inbound_tx_msg} - Inbound Anomaly  Score:
> >%{TX.INBOUND_ANOMALY_SCORE}) + Outbound Data Leakage (%{tx.msg}  -
> >Outbound Anomaly Score:  %{TX.OUTBOUND_ANOMALY_SCORE})'"
> >[11/Apr/2011:12:15:40  --0700]
> >[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4]  Transformation
> >completed in 1 usec.
> >[11/Apr/2011:12:15:40  --0700]
> >[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Executing  operator
> >"ge" with param "1" against  &TX:/LEAKAGE\/ERRORS/.
> >[11/Apr/2011:12:15:40  --0700]
> >[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][9] Target  value: "0"
> >[11/Apr/2011:12:15:40  --0700]
> >[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Operator  completed
> >in 2 usec.
> >[11/Apr/2011:12:15:40  --0700]
> >[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Rule  returned 0.
> >[11/Apr/2011:12:15:40  --0700]
> >[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][9] No match,  chained
> >-> mode NEXT_CHAIN.
> >[11/Apr/2011:12:15:40  --0700]
> >[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Recipe:  Invoking
> >rule b8578910;  [file
> >"/etc/apache2/modsecurity-crs/base_rules/modsecurity_crs_60_correlation.co
> >nf"]  [line "28"].
> >[11/Apr/2011:12:15:40  --0700]
> >[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][5] Rule  b8578910:
> >SecRule "&TX:'/AVAILABILITY\\\\/APP_NOT_AVAIL/'" "@ge  1"
> >"phase:5,chain,t:none,log,skipAfter:END_CORRELATION,severity:1,msg:'Correl
> >ated  Attack Attempt Identified: (Total Score:  %{tx.anomaly_score},
> >SQLi=%{TX.SQL_INJECTION_SCORE}, XSS=%{TX.XSS_SCORE})  Inbound Attack
> >(%{tx.inbound_tx_msg} Inbound Anomaly Score:  %{TX.INBOUND_ANOMALY_SCORE})
> >+ Outbound Application Error (%{tx.msg} -  Outbound Anomaly  Score:
> >%{TX.OUTBOUND_ANOMALY_SCORE})'"
> >[11/Apr/2011:12:15:40  --0700]
> >[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4]  Transformation
> >completed in 1 usec.
> >[11/Apr/2011:12:15:40  --0700]
> >[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Executing  operator
> >"ge" with param "1" against  &TX:/AVAILABILITY\/APP_NOT_AVAIL/.
> >[11/Apr/2011:12:15:40  --0700]
> >[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][9] Target  value: "0"
> >[11/Apr/2011:12:15:40  --0700]
> >[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Operator  completed
> >in 1 usec.
> >[11/Apr/2011:12:15:40  --0700]
> >[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Rule  returned 0.
> >[11/Apr/2011:12:15:40  --0700]
> >[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][9] No match,  chained
> >-> mode NEXT_CHAIN.
> >[11/Apr/2011:12:15:40  --0700]
> >[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Recipe:  Invoking
> >rule b8574618;  [file
> >"/etc/apache2/modsecurity-crs/base_rules/modsecurity_crs_60_correlation.co
> >nf"]  [line "32"].
> >[11/Apr/2011:12:15:40  --0700]
> >[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][5] Rule  b8574618:
> >SecRule "TX:INBOUND_ANOMALY_SCORE" "@gt  0"
> >"phase:5,chain,t:none,log,noauditlog,skipAfter:END_CORRELATION,msg:'Inboun
> >d  Anomaly Score (Total Inbound Score:  %{TX.INBOUND_ANOMALY_SCORE},
> >SQLi=%{TX.SQL_INJECTION_SCORE},  XSS=%{TX.XSS_SCORE}):
> >%{tx.inbound_tx_msg}'"
> >[11/Apr/2011:12:15:40  --0700]
> >[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Rule  returned 0.
> >[11/Apr/2011:12:15:40  --0700]
> >[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][9] No match,  chained
> >-> mode NEXT_CHAIN.
> >[11/Apr/2011:12:15:40  --0700]
> >[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Recipe:  Invoking
> >rule b8598b18;  [file
> >"/etc/apache2/modsecurity-crs/base_rules/modsecurity_crs_60_correlation.co
> >nf"]  [line "36"].
> >[11/Apr/2011:12:15:40  --0700]
> >[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][5] Rule  b8598b18:
> >SecRule "TX:INBOUND_ANOMALY_SCORE"  "@ge
> >%{tx.inbound_anomaly_score_level}"
> >"phase:5,t:none,log,noauditlog,pass,msg:'Inbound  Anomaly Score Exceeded
> >(Total Inbound Score:  %{TX.INBOUND_ANOMALY_SCORE},
> >SQLi=%{TX.SQL_INJECTION_SCORE},  XSS=%{TX.XSS_SCORE}):
> >%{tx.inbound_tx_msg}'"
> >[11/Apr/2011:12:15:40  --0700]
> >[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Rule  returned 0.
> >[11/Apr/2011:12:15:40  --0700]
> >[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][9] No match,  not
> >chained -> mode NEXT_RULE.
> >[11/Apr/2011:12:15:40  --0700]
> >[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Recipe:  Invoking
> >rule b8585558;  [file
> >"/etc/apache2/modsecurity-crs/base_rules/modsecurity_crs_60_correlation.co
> >nf"]  [line "39"].
> >[11/Apr/2011:12:15:40  --0700]
> >[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][5] Rule  b8585558:
> >SecRule "TX:OUTBOUND_ANOMALY_SCORE"  "@ge
> >%{tx.outbound_anomaly_score_level}"
> >"phase:5,t:none,log,noauditlog,pass,msg:'Outbound  Anomaly Score Exceeded
> >(score %{TX.OUTBOUND_ANOMALY_SCORE}):  %{tx.msg}'"
> >[11/Apr/2011:12:15:40  --0700]
> >[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Rule  returned 0.
> >[11/Apr/2011:12:15:40  --0700]
> >[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][9] No match,  not
> >chained -> mode NEXT_RULE.
> >[11/Apr/2011:12:15:40  --0700]
> >[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Audit log:  Not
> >configured to run for this  request.
> >
> >
> >
> >--------------------------------------------------------------------------
> >----
> >Forrester  Wave Report - Recovery time is now measured in hours and minutes
> >not  days. Key insights are discussed in the 2010 Forrester Wave Report  as
> >part of an in-depth evaluation of disaster recovery service  providers.
> >Forrester found the best-in-class provider in terms of  services and
> >vision.
> >Read this report now!   http://p.sf.net/sfu/ibm-webcastpromo
> >_______________________________________________
> >mod-security-developers  mailing list
> >mod...@li...
> >https://lists.sourceforge.net/lists/listinfo/mod-security-developers
> >ModSecurity  Services from Trustave's SpiderLabs:
> >https://www.trustwave.com/spiderLabs.php
> >
> 
> 
> This  transmission may contain information that is privileged, confidential, 
>and/or  exempt from disclosure under applicable law. If you are not the intended  
>recipient, you are hereby notified that any disclosure, copying, distribution,  
>or use of the information contained herein (including any reliance thereon) is  
>STRICTLY PROHIBITED. If you received this transmission in error, please  
>immediately contact the sender and destroy the material in its entirety, whether  
>in electronic or hard copy  format.
> 
> 
> ------------------------------------------------------------------------------
> Forrester  Wave Report - Recovery time is now measured in hours and minutes
> not days.  Key insights are discussed in the 2010 Forrester Wave Report as
> part of an  in-depth evaluation of disaster recovery service providers.
> Forrester found  the best-in-class provider in terms of services and vision.
> Read this report  now!  http://p.sf.net/sfu/ibm-webcastpromo
> _______________________________________________
> mod-security-developers  mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-developers
> ModSecurity  Services from Trustave's SpiderLabs:
> https://www.trustwave.com/spiderLabs.php
> 