Re: [Mod-security-developers] Var in dos rule exipired earlier then expected

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

From: leon xu <xc...@gm...<mailto:xc...@gm...>>
Reply-To: "mod...@li...<mailto:mod...@li...>" <mod...@li...<mailto:mod...@li...>>
Date: Mon, 4 Jun 2012 21:10:06 -0500
To: "mod...@li...<mailto:mod...@li...>" <mod...@li...<mailto:mod...@li...>>
Subject: [Mod-security-developers] Var in dos rule exipired earlier then expected

Hello, everyone

    we use modsecurity 2.6 protect against dos attack for some specific pages.

Just an FYI – the OWASP ModSecurity CRS already has a DoS ruleset - http://mod-security.svn.sourceforge.net/viewvc/mod-security/crs/trunk/experimental_rules/modsecurity_crs_11_dos_protection.conf?revision=1797

You might want to try it and see if you still have issues.

-=Ryan

This is the  rule. I test it in my box, it works. But when in some product environment(3000 concurrent connections in worker MPM), it failed.
In the early time I use expiredvar:dos_block every 1800 seconds, as the modsecurity docs suggests. I found the var "dos_block" expired within 1-10 second(I dump the resource db),not 1800. So I changed it with deprecatevar.
But it does not works too.
Does it because of the concurrent problem?

Thanks.

----------------------------------------------------------------

SecRule REQUEST_URI "^/login.php" \
        "phase:1,capture,t:lowercase,t:urlDecodeUni,pass,nolog,setvar:tx.dos_uri=%{TX.1},skip:1"
SecAction "phase:1,pass,nolog,skipAfter:Dos_Marker"

SecAction "phase:1,pass,nolog,t:none,setvar:tx.real_ip=%{REMOTE_ADDR}"
SecAction "phase:1,nolog,initcol:resource='%{tx.real_ip}/'"

SecRule RESOURCE:SHOULD_LOG "@eq 1" "phase:1,pass,nolog,setvar:resource.should_log=0,skip:2"

#already blocked, nolog here
SecRule RESOURCE:DOS_BLOCKED "@eq 1" \
                "phase:1,deny,nolog,severity:'2',status:403,deprecatevar:resource.dos_blocked=1/1800,skipAfter:Dos_Marker"

SecAction "phase:1,pass,nolog,skip:1"

#log version, logdata is real client ip
SecRule RESOURCE:DOS_BLOCKED "@eq 1" \
                     "phase:1,deny,log,auditlog,severity:'2',msg:'99010',id:'99010001',tag:'9901',status:403,deprecatevar:resource.dos_blocked=1/1800,logdata:%{tx.real_ip},skipAfter:Dos_Marker"

#counter++
SecAction "phase:1,nolog,setvar:resource.dos_request_counter=+1,deprecatevar:resource.dos_request_counter=10/60"

# if counter == max then block
SecRule RESOURCE:DOS_REQUEST_COUNTER "@ge 10" \
            "phase:5,nolog,setvar:resource.dos_request_counter=0,setvar:resource.dos_blocked=1,setvar:resource.should_log=1"

SecMarker Dos_Marker

________________________________
This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.