[Mod-security-developers] CRS DoS bugs/suggestions
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
[Mod-security-developers] CRS DoS bugs/suggestions
|
From: Oleg G. <ole...@ya...> - 2011-06-16 16:32:17
|
I was testing DoS ruleset lately and found that there probably was a bug related to ip.dos_counter variable. The expiration time was not set for this var, as a result the counter persists longer than tx.dos_burst_time_slice. As a result, the history of hits is counted for a longer time period.
I've added expiration time in two places and it started to work correctly after that. The changes are below:
SecRule REQUEST_BASENAME "!\.(jpe?g|png|gif|js|css|ico)$" "phase:5,t:none,nolog,pass,setvar:ip.dos_counter=+1,expirevar:ip.dos_counter=%{tx.dos_burst_time_slice}"
...
SecRule IP:DOS_COUNTER "@ge %{tx.dos_counter_threshold}" "phase:5,t:none,nolog,pass,t:none,setvar:ip.dos_burst_counter=+1,expirevar:ip.dos_burst_counter=%{tx.dos_burst_time_slice},setvar:!ip.dos_counter,expirevar:ip.dos_counter=%{tx.dos_burst_time_slice}"
I've also attached the sample of testing program. I think, we should have something like that to test all limits. There are only two tests implemented for now: for request size and DoS, but it should be easy to add more.
|
