Re: [Mod-security-developers] SecWriteStateLimit Logging

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Can you confirm that you are under an active attack?  You may need to
modify the SecWriteStateLimit settings if you are finding that you are
having false positives.  Since these log messages are generated from a
directive and not a rule, we don't have any options for altering logging
or response actions.  It is hard coded to generate the alert for each
thread that is is terminating.

--
Ryan Barnett
Senior Security Researcher
Trustwave - SpiderLabs

On 1/9/12 7:16 AM, "Anestis Bechtsoudis" <bec...@gm...> wrote:

>Hello list,
>
>recently applied the SecWriteStateLimit workaround for slow HTTP read
>DoS attack, as proposed from spiderlabs [1]. Although, we face a great
>logging overhead on our servers originating from such attacks.
>
>Is there any method to limit the logging events at the error_log that am
>I missing? Searching the list archives didn't show up something relevant.
>
>Speaking about Version 2.2.3.
>
>
>
>Kind Regards,
>Anestis
>
>
>[1]
>http://blog.spiderlabs.com/2012/01/modsecurity-advanced-topic-of-the-week-
>mitigation-of-slow-read-denial-of-service-attack.html
>--
>===============================================
>* Anestis Bechtsoudis                         *
>*                                             *
>* Network Operation Center                    *
>* Dept. of Computer Engineering & Informatics *
>* University of Patras, Greece                *
>*                                             *
>* Website: http://bechtsoudis.com             *
>===============================================
>
>--------------------------------------------------------------------------
>----
>Ridiculously easy VDI. With Citrix VDI-in-a-Box, you don't need a complex
>infrastructure or vast IT resources to deliver seamless, secure access to
>virtual desktops. With this all-in-one solution, easily deploy virtual
>desktops for less than the cost of PCs and save 60% on VDI infrastructure
>costs. Try it free! http://p.sf.net/sfu/Citrix-VDIinabox
>_______________________________________________
>mod-security-developers mailing list
>mod...@li...
>https://lists.sourceforge.net/lists/listinfo/mod-security-developers
>ModSecurity Services from Trustwave's SpiderLabs:
>https://www.trustwave.com/spiderLabs.php
>

This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.