[mod-security-users] DOS rule blocking IP and User Agent not IP

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

Hi everybody,

I loaded the required rules to make DOS 900015 rule to work:

modsecurity.conf
modsecurity_crs_10_setup.conf ->
/usr/share/modsecurity-crs/modsecurity_crs_10_setup.conf
modsecurity_crs_11_dos_protection.conf ->
/usr/share/modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf

The problem now is that modsecurity blocks recurring request from certain
IP using the same agent. If I try to make a request to the while
"blacklist" but using a different user agent, modsecurity allows the
request.

I'm reading debug logs (9) and audit logs (K included) but I can't see any
reference to User Agent.

Here is my testing 900015 rule:
---------------------------------------------------------------
SecAction \
  "id:'900015', \
  phase:1, \
  t:none, \
  setvar:'tx.dos_burst_time_slice=60', \
  setvar:'tx.dos_counter_threshold=10', \
  setvar:'tx.dos_block_timeout=60', \
  nolog,auditlog, \
  pass"
---------------------------------------------------------------

Any ideas?

Thanks in advance,

Alfredo