[Mod-security-developers] Var in dos rule exipired earlier then expected
Brought to you by:
victorhora,
zimmerletw
From: leon xu <xc...@gm...> - 2012-06-05 02:10:12
|
Hello, everyone we use modsecurity 2.6 protect against dos attack for some specific pages. This is the rule. I test it in my box, it works. But when in some product * environment(3000 *concurrent connections in worker MPM)*, it failed.* *In the early time I use expiredvar:dos_block every 1800 seconds, as the modsecurity docs suggests. I found the var "dos_block" expired within 1-10 second(**I dump the resource db),n**ot 1800. So I changed it with * deprecatevar. But it does not works too. Does it because of the concurrent problem? Thanks. ---------------------------------------------------------------- SecRule REQUEST_URI "^/login.php" \ "phase:1,capture,t:lowercase,t:urlDecodeUni,pass,nolog,setvar:tx.dos_uri=%{TX.1},skip:1" SecAction "phase:1,pass,nolog,skipAfter:Dos_Marker" SecAction "phase:1,pass,nolog,t:none,setvar:tx.real_ip=%{REMOTE_ADDR}" SecAction "phase:1,nolog,initcol:resource='%{tx.real_ip}/'" SecRule RESOURCE:SHOULD_LOG "@eq 1" "phase:1,pass,nolog,setvar:resource.should_log=0,skip:2" #already blocked, nolog here SecRule RESOURCE:DOS_BLOCKED "@eq 1" \ "phase:1,deny,nolog,severity:'2',status:403,deprecatevar:resource.dos_blocked=1/1800,skipAfter:Dos_Marker" SecAction "phase:1,pass,nolog,skip:1" #log version, logdata is real client ip SecRule RESOURCE:DOS_BLOCKED "@eq 1" \ "phase:1,deny,log,auditlog,severity:'2',msg:'99010',id:'99010001',tag:'9901',status:403,deprecatevar:resource.dos_blocked=1/1800,logdata:%{tx.real_ip},skipAfter:Dos_Marker" #counter++ SecAction "phase:1,nolog,setvar:resource.dos_request_counter=+1,deprecatevar:resource.dos_request_counter=10/60" # if counter == max then block SecRule RESOURCE:DOS_REQUEST_COUNTER "@ge 10" \ "phase:5,nolog,setvar:resource.dos_request_counter=0,setvar:resource.dos_blocked=1,setvar:resource.should_log=1" SecMarker Dos_Marker |