Re: [Mod-security-developers] Var in dos rule exipired earlier then expected

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Are you using modsecurity 2.6.5 ?

Thanks

Breno

On Mon, Jun 4, 2012 at 9:10 PM, leon xu <xc...@gm...> wrote:

> Hello, everyone
>
>     we use modsecurity 2.6 protect against dos attack for some specific
> pages.
> This is the  rule. I test it in my box, it works. But when in some product
> *environment(3000 *concurrent connections in worker MPM)*, it failed.*
> *In the early time I use expiredvar:dos_block every 1800 seconds, as the
> modsecurity docs suggests. I found the var "dos_block" expired within 1-10
> second(**I dump the resource db),n**ot 1800. So I changed it with *
> deprecatevar.
> But it does not works too.
> Does it because of the concurrent problem?
>
> Thanks.
>
>
> ----------------------------------------------------------------
>
> SecRule REQUEST_URI "^/login.php" \
>
> "phase:1,capture,t:lowercase,t:urlDecodeUni,pass,nolog,setvar:tx.dos_uri=%{TX.1},skip:1"
> SecAction "phase:1,pass,nolog,skipAfter:Dos_Marker"
>
>
>
>
>
> SecAction "phase:1,pass,nolog,t:none,setvar:tx.real_ip=%{REMOTE_ADDR}"
> SecAction "phase:1,nolog,initcol:resource='%{tx.real_ip}/'"
>
>
>
> SecRule RESOURCE:SHOULD_LOG "@eq 1"
> "phase:1,pass,nolog,setvar:resource.should_log=0,skip:2"
>
> #already blocked, nolog here
> SecRule RESOURCE:DOS_BLOCKED "@eq 1" \
>
> "phase:1,deny,nolog,severity:'2',status:403,deprecatevar:resource.dos_blocked=1/1800,skipAfter:Dos_Marker"
>
> SecAction "phase:1,pass,nolog,skip:1"
>
> #log version, logdata is real client ip
> SecRule RESOURCE:DOS_BLOCKED "@eq 1" \
>
>  "phase:1,deny,log,auditlog,severity:'2',msg:'99010',id:'99010001',tag:'9901',status:403,deprecatevar:resource.dos_blocked=1/1800,logdata:%{tx.real_ip},skipAfter:Dos_Marker"
>
> #counter++
> SecAction
> "phase:1,nolog,setvar:resource.dos_request_counter=+1,deprecatevar:resource.dos_request_counter=10/60"
>
>
> # if counter == max then block
> SecRule RESOURCE:DOS_REQUEST_COUNTER "@ge 10" \
>
> "phase:5,nolog,setvar:resource.dos_request_counter=0,setvar:resource.dos_blocked=1,setvar:resource.should_log=1"
>
> SecMarker Dos_Marker
>
>
>
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> mod-security-developers mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-developers
> ModSecurity Services from Trustwave's SpiderLabs:
> https://www.trustwave.com/spiderLabs.php
>