Re: [mod-security-users] Advice for moving forward with more CRS rules
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] Advice for moving forward with more CRS rules
|
From: Manuel S. <spa...@gm...> - 2020-06-13 11:46:08
|
That’s why I suggest using envvars and stop/redirect using rewrite rules, other than editing the entire thing you can also play with the defaulactio s set to pass and the thresholds to block set to sky high values Sent from my iPhone > On Jun 13, 2020, at 5:30 AM, Jamie Burchell <ja...@ib...> wrote: > > Hi Manuel > > Thanks for the reply. The rate limit rule I have in place already is working well. The question is more how can I now try out and monitor more of the CRS safely without actually blocking requests, now that I'm using my own rules and some of the other CRS rules. I don't actually think I can, I think all I can really do is change the actions of the anomaly detection routines to pass and log which will stop the rules I've already tested from actually blocking. > > Sent from my iPhone > >> On 12 Jun 2020, at 23:52, Manuel Spartan <spa...@gm...> wrote: >> >> Hi Jamie, what about using setenv action on those connections that require to slow down and do a rewrite rule answering with redirect to a static html saying’slowdown’. As for the logic you will need to initialize the collection to keep track of the request rate over time, take a look to the crs brute force/dos rules for inspiration. >> >> You can also use modqos. >> >> Regards, >> Manuel >> >> Sent from my iPhone >> >>>> On Jun 12, 2020, at 6:02 AM, Jamie Burchell <ja...@ib...> wrote: >>> >>> Hello >>> >>> I'm hoping for some general advice on next steps for my EL7 / Apache 2.4 / Mod Security 2.9 / OWASP CRS setup please. This is potentially more of a CRS question, so apologies if this is the wrong place to pose the question and I'd appreciate any pointers as to where I could ask this. Server Fault hasn't yielding any response. >>> >>> I had a requirement to rate limit some URL paths and to (attempt to) block some well known scripting user agents and have successfully achieved both of these things using a custom mod_security rule for the rate limit and the OWASP CRS rules pertaining to scripting user agents. >>> >>> For the moment, I've disabled pretty much all of the CRS rules except for the scanners. I needed to increase the Paranoia Level (PL) to 2 before those rules I needed were activated. >>> >>> I'd now like to look at enabling more of the CRS but in a monitored and controlled way, but this now poses a problem. I have a rate limit rule live and working and CRS rules at PL2 just for script scanner detection. I'm not able to put mod_security in detection only mode, because I have live rules working. I can change the blocking actions for the anomaly detection rules to pass and log, but this will deactivate my scanner rules. And I'm stuck with PL2 in order to get the scanner rules I need. >>> >>> I'm unsure how to proceed in a controlled way to monitor further CRS rules without them actually blocking - and whether or not I'm stuck with PL2 for all other rules because of what I need for the scanners. >>> >>> Would really appreciate any pointers, this conundrum is driving me mad. >>> >>> Thanks in advance >>> Jamie >>> >>> >>> >>> _______________________________________________ >>> mod-security-users mailing list >>> mod...@li... >>> https://lists.sourceforge.net/lists/listinfo/mod-security-users >>> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >>> http://www.modsecurity.org/projects/commercial/rules/ >>> http://www.modsecurity.org/projects/commercial/support/ >> >> >> _______________________________________________ >> mod-security-users mailing list >> mod...@li... >> https://lists.sourceforge.net/lists/listinfo/mod-security-users >> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >> http://www.modsecurity.org/projects/commercial/rules/ >> http://www.modsecurity.org/projects/commercial/support/ > > > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ |
