[mod-security-users] about ip/IP

[<877...@qq...>]

hi, all:


For below rule, two high lighted IP/ip will be translated to client IP address ? only in this case, it is reasonable.


SecRule IP:DOS_BURST_COUNTER "@ge 1" \
    "id:912171,\
    phase:5,\
    pass,\
    t:none,\
    log,\
    msg:'Potential Denial of Service (DoS) Attack from %{tx.real_ip} - # of Request Bursts: %{ip.dos_burst_counter}',\
    tag:'application-multi',\
    tag:'language-multi',\
    tag:'platform-multi',\
    tag:'attack-dos',\
    tag:'paranoia-level/2',\
    ver:'OWASP_CRS/3.2.0',\
    setvar:'ip.dos_block=1',\
    expirevar:'ip.dos_block=%{tx.dos_block_timeout}'"





Thanks
huiming