Re: [mod-security-users] about ip/IP

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

but I DO NOT find any document that&nbsp; ip (low case) will be translated to brower ip.

------------------&nbsp;Original&nbsp;------------------
From:                                                                                                                        "mod-security-users"                                                                                    <mod...@li...&gt;;
Date:&nbsp;Wed, Jun 30, 2021 10:17 AM
To:&nbsp;"mod-security-users"<mod...@li...&gt;;
Cc:&nbsp;"huiming"<877...@qq...&gt;;
Subject:&nbsp;[mod-security-users] about ip/IP

hi, all:

For below rule, two high lighted IP/ip will be translated to client IP address ? only in this case, it is reasonable.

SecRule IP:DOS_BURST_COUNTER "@ge 1" \
&nbsp; &nbsp; "id:912171,\
&nbsp; &nbsp; phase:5,\
&nbsp; &nbsp; pass,\
&nbsp; &nbsp; t:none,\
&nbsp; &nbsp; log,\
&nbsp; &nbsp; msg:'Potential Denial of Service (DoS) Attack from %{tx.real_ip} - # of Request Bursts: %{ip.dos_burst_counter}',\
&nbsp; &nbsp; tag:'application-multi',\
&nbsp; &nbsp; tag:'language-multi',\
&nbsp; &nbsp; tag:'platform-multi',\
&nbsp; &nbsp; tag:'attack-dos',\
&nbsp; &nbsp; tag:'paranoia-level/2',\
&nbsp; &nbsp; ver:'OWASP_CRS/3.2.0',\
&nbsp; &nbsp; setvar:'ip.dos_block=1',\
&nbsp; &nbsp; expirevar:'ip.dos_block=%{tx.dos_block_timeout}'"

Thanks
huiming