[Mod-security-developers] Var in dos rule exipired earlier then expected

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Hello, everyone

    we use modsecurity 2.6 protect against dos attack for some specific
pages.
This is the  rule. I test it in my box, it works. But when in some product *
environment(3000 *concurrent connections in worker MPM)*, it failed.*
*In the early time I use expiredvar:dos_block every 1800 seconds, as the
modsecurity docs suggests. I found the var "dos_block" expired within 1-10
second(**I dump the resource db),n**ot 1800. So I changed it with *
deprecatevar.
But it does not works too.
Does it because of the concurrent problem?

Thanks.

----------------------------------------------------------------

SecRule REQUEST_URI "^/login.php" \

"phase:1,capture,t:lowercase,t:urlDecodeUni,pass,nolog,setvar:tx.dos_uri=%{TX.1},skip:1"
SecAction "phase:1,pass,nolog,skipAfter:Dos_Marker"

SecAction "phase:1,pass,nolog,t:none,setvar:tx.real_ip=%{REMOTE_ADDR}"
SecAction "phase:1,nolog,initcol:resource='%{tx.real_ip}/'"

SecRule RESOURCE:SHOULD_LOG "@eq 1"
"phase:1,pass,nolog,setvar:resource.should_log=0,skip:2"

#already blocked, nolog here
SecRule RESOURCE:DOS_BLOCKED "@eq 1" \

"phase:1,deny,nolog,severity:'2',status:403,deprecatevar:resource.dos_blocked=1/1800,skipAfter:Dos_Marker"

SecAction "phase:1,pass,nolog,skip:1"

#log version, logdata is real client ip
SecRule RESOURCE:DOS_BLOCKED "@eq 1" \

 "phase:1,deny,log,auditlog,severity:'2',msg:'99010',id:'99010001',tag:'9901',status:403,deprecatevar:resource.dos_blocked=1/1800,logdata:%{tx.real_ip},skipAfter:Dos_Marker"

#counter++
SecAction
"phase:1,nolog,setvar:resource.dos_request_counter=+1,deprecatevar:resource.dos_request_counter=10/60"

# if counter == max then block
SecRule RESOURCE:DOS_REQUEST_COUNTER "@ge 10" \

"phase:5,nolog,setvar:resource.dos_request_counter=0,setvar:resource.dos_blocked=1,setvar:resource.should_log=1"

SecMarker Dos_Marker