[mod-security-users] DOS rule blocking IP and User Agent not IP
Brought to you by:
victorhora,
zimmerletw
From: Jesús A. C. <alf...@gm...> - 2014-09-23 22:06:16
|
Hi everybody, I loaded the required rules to make DOS 900015 rule to work: modsecurity.conf modsecurity_crs_10_setup.conf -> /usr/share/modsecurity-crs/modsecurity_crs_10_setup.conf modsecurity_crs_11_dos_protection.conf -> /usr/share/modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf The problem now is that modsecurity blocks recurring request from certain IP using the same agent. If I try to make a request to the while "blacklist" but using a different user agent, modsecurity allows the request. I'm reading debug logs (9) and audit logs (K included) but I can't see any reference to User Agent. Here is my testing 900015 rule: --------------------------------------------------------------- SecAction \ "id:'900015', \ phase:1, \ t:none, \ setvar:'tx.dos_burst_time_slice=60', \ setvar:'tx.dos_counter_threshold=10', \ setvar:'tx.dos_block_timeout=60', \ nolog,auditlog, \ pass" --------------------------------------------------------------- Any ideas? Thanks in advance, Alfredo |