Re: [Mod-security-developers] CRS DoS bugs/suggestions
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [Mod-security-developers] CRS DoS bugs/suggestions
|
From: Ryan B. <RBa...@tr...> - 2011-06-17 12:16:05
|
Oleg,
First of all, thank you for taking the time to test these rules further. The rule quality will only improve if the community takes the time to test them and report back the status.
To your comments about the lack of "expirevar" actions, this should not be needed for the ip.dos_counter var as the last rule uses the "setvar:!ip.dos_counter" action to actually remove that variable if the operator matches. Can you please check your debug log during testing to verify if that action is not removing that variable? Perhaps there is a bug in removing the variable with the "!" symbol and using expirevar is more reliable.
Also – what version of ModSecurity are you using?
-Ryan
From: Oleg Gryb <ole...@ya...<mailto:ole...@ya...>>
Reply-To: "ol...@gr...<mailto:ol...@gr...>" <ol...@gr...<mailto:ol...@gr...>>, "mod...@li...<mailto:mod...@li...>" <mod...@li...<mailto:mod...@li...>>
Date: Thu, 16 Jun 2011 11:32:11 -0500
To: "mod...@li...<mailto:mod...@li...>" <mod...@li...<mailto:mod...@li...>>
Subject: [Mod-security-developers] CRS DoS bugs/suggestions
I was testing DoS ruleset lately and found that there probably was a bug related to ip.dos_counter variable. The expiration time was not set for this var, as a result the counter persists longer than tx.dos_burst_time_slice. As a result, the history of hits is counted for a longer time period.
I've added expiration time in two places and it started to work correctly after that. The changes are below:
SecRule REQUEST_BASENAME "!\.(jpe?g|png|gif|js|css|ico)$" "phase:5,t:none,nolog,pass,setvar:ip.dos_counter=+1,expirevar:ip.dos_counter=%{tx.dos_burst_time_slice}"
...
SecRule IP:DOS_COUNTER "@ge %{tx.dos_counter_threshold}" "phase:5,t:none,nolog,pass,t:none,setvar:ip.dos_burst_counter=+1,expirevar:ip.dos_burst_counter=%{tx.dos_burst_time_slice},setvar:!ip.dos_counter,expirevar:ip.dos_counter=%{tx.dos_burst_time_slice}"
I've also attached the sample of testing program. I think, we should have something like that to test all limits. There are only two tests implemented for now: for request size and DoS, but it should be easy to add more.
________________________________
This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.
|
