mod-security-developers — Development discussion about mod_security

Re: [Mod-security-developers] Autotools results shouldn't be in the SCM

[Diego E. P. <fla...@gm...>]

Il giorno mar, 19/04/2011 alle 11.30 -0500, Breno Silva ha scritto:
> 
> What files are creating this problem ? 

#	modified:   Makefile
#	modified:   Makefile.in
#	typechange: acinclude/libtool.m4
#	typechange: acinclude/ltoptions.m4
#	typechange: acinclude/ltsugar.m4
#	typechange: acinclude/ltversion.m4
#	typechange: acinclude/lt~obsolete.m4
#	modified:   aclocal.m4
#	modified:   alp2/Makefile.in
#	modified:   apache2/Makefile
#	modified:   apache2/Makefile.in
#	modified:   autom4te.cache/output.0
#	modified:   autom4te.cache/output.1
#	modified:   autom4te.cache/requests
#	modified:   autom4te.cache/traces.0
#	modified:   autom4te.cache/traces.1
#	typechange: build/config.guess
#	typechange: build/config.sub
#	typechange: build/depcomp
#	modified:   build/find_lua.m4
#	typechange: build/install-sh
#	typechange: build/ltmain.sh
#	typechange: build/missing
#	modified:   config.log
#	modified:   config.status
#	modified:   configure
#	modified:   ext/Makefile.in
#	modified:   libtool
#	modified:   mlogc/Makefile.in
#	modified:   tests/Makefile.in
#	modified:   tools/Makefile.in

In this list the one file I modified was build/find_lua.m4, the rest are
re-generated by autotools. In particular autom4te.cache is totally
useless (it's a temporary cache that depends per-system); Makefile.in
are generated by automake, config.log by ./configure and so on so forth.

-- 
Diego Elio Pettenò — Flameeyes
http://blog.flameeyes.eu/

Re: [Mod-security-developers] Autotools results shouldn't be in the SCM

[Breno S. <bre...@gm...>]

Hi Diego,

What files are creating this problem ?

thanks

Breno

On Tue, Apr 19, 2011 at 11:27 AM, Diego Elio Pettenò <fla...@gm...>wrote:

> Trying to patch a single file causes a whole lot of files to be
> different in the checkout, which makes it a burden to keep in sync with
> upstream. It would be much better if all the autotools results weren't
> in the SVN tree at all.
>
> --
> Diego Elio Pettenò — Flameeyes
> http://blog.flameeyes.eu/
>
>
>
> ------------------------------------------------------------------------------
> Benefiting from Server Virtualization: Beyond Initial Workload
> Consolidation -- Increasing the use of server virtualization is a top
> priority.Virtualization can reduce costs, simplify management, and improve
> application availability and disaster protection. Learn more about boosting
> the value of server virtualization. http://p.sf.net/sfu/vmware-sfdev2dev
> _______________________________________________
> mod-security-developers mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-developers
> ModSecurity Services from Trustave's SpiderLabs:
> https://www.trustwave.com/spiderLabs.php

[Mod-security-developers] Autotools results shouldn't be in the SCM

[Diego E. P. <fla...@gm...>]

Trying to patch a single file causes a whole lot of files to be
different in the checkout, which makes it a burden to keep in sync with
upstream. It would be much better if all the autotools results weren't
in the SVN tree at all.

-- 
Diego Elio Pettenò — Flameeyes
http://blog.flameeyes.eu/

[Mod-security-developers] [PATCH] Avoid automagic lua dependency

[Diego E. P. <fla...@gm...>]

Here is a simple patch (you probably want to reindent after applying it)
that makes it possible to build using ./configure --without-lua.

HTH,
-- 
Diego Elio Pettenò — Flameeyes
http://blog.flameeyes.eu/

[Mod-security-developers] ModSecurity 2.6.0-rc1 is available!

[Breno S. <bre...@gm...>]

The ModSecurity Development Team is pleased to announce the availability of
ModSecurity 2.6.0-rc1 Release (www.modsecurity.org).
This is the first release from the 2.6 branch which improves on the
functionality of ModSecurity and introduces some new features.

Some highlights:

        •       Google Safe-Browsing API Integration: Protection for users
and content providers from malicious links
        •       Sensitive Data Tracking: Ability to identify and track US
Social Security numbers
        •       Data Modification: Ability to change data on-the-fly, before
delivery, in order to better control outgoing content according to security
policies

For a complete list of new features and improvements please see the release
notes included into CHANGES file.

For known problems and more information about bug fixes, please see the
online ModSecurity Jira.

This is a release candidate version so the stability should be good. Please
report any bug to mod...@li....

Thanks for all modsecurity community to help us create this new release!

Breno Silva

[Mod-security-developers] [JIRA] Resolved: (MODSEC-131) Rewrite build to fully utilize autotools

[Breno S. P. (JIRA) <no...@mo...>]

     [ https://www.modsecurity.org/tracker/browse/MODSEC-131?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Breno Silva Pinto resolved MODSEC-131.
--------------------------------------

    Resolution: Fixed

For now its enough .. i will reopen if we need to do some modification during rc1 test

> Rewrite build to fully utilize autotools
> ----------------------------------------
>
>                 Key: MODSEC-131
>                 URL: https://www.modsecurity.org/tracker/browse/MODSEC-131
>             Project: ModSecurity
>          Issue Type: Improvement
>      Security Level: Normal
>            Reporter: Brian Rectanus
>            Assignee: Breno Silva Pinto
>            Priority: High
>             Fix For: 2.6.0
>
>
> Need to rewrite the build system to fully utilize autotools:
> * Check deps for correct versions
> * Drop apxs as compiler wrapper
> * Use autoconf and rename configure.in to configure.ac
> * Allow for installing utils (mlogc, etc)
> * Use autoconf config macros
> * Remove #ifdef hacks

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: https://www.modsecurity.org/tracker/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

[Mod-security-developers] [JIRA] Closed: (MODSEC-140) Add a fast IP address and network based matching operator

[Breno S. P. (JIRA) <no...@mo...>]

     [ https://www.modsecurity.org/tracker/browse/MODSEC-140?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Breno Silva Pinto closed MODSEC-140.
------------------------------------

    Resolution: Fixed

> Add a fast IP address and network based matching operator
> ---------------------------------------------------------
>
>                 Key: MODSEC-140
>                 URL: https://www.modsecurity.org/tracker/browse/MODSEC-140
>             Project: ModSecurity
>          Issue Type: New Feature
>      Security Level: Normal
>            Reporter: Brian Rectanus
>            Assignee: Breno Silva Pinto
>             Fix For: 2.6.0
>
>
> We need to be able to match IPs and networks quickly, including large lists.
> Something like:
> @ip <ip | ip/cidr | ip/netmask>, ...
> This would match if the target was listed in any ip or network.
> This must support both IPv4 and IPv6.
> I am thinking radix tree and/or modifying @pm to support IPs (former sounds better right now).

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: https://www.modsecurity.org/tracker/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

[Mod-security-developers] [JIRA] Resolved: (MODSEC-37) SecRuleUpdateActionById doesn't seem to work as expected

[Breno S. P. (JIRA) <no...@mo...>]

     [ https://www.modsecurity.org/tracker/browse/MODSEC-37?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Breno Silva Pinto resolved MODSEC-37.
-------------------------------------

    Resolution: Fixed

> SecRuleUpdateActionById  doesn't seem to work as expected
> ---------------------------------------------------------
>
>                 Key: MODSEC-37
>                 URL: https://www.modsecurity.org/tracker/browse/MODSEC-37
>             Project: ModSecurity
>          Issue Type: Bug
>      Security Level: Normal
>          Components: Core
>    Affects Versions: 2.5.6
>         Environment: Apache2/Ubuntu 8.04 LTS
>            Reporter: Peter Termaten
>            Assignee: Breno Silva Pinto
>             Fix For: 2.6.0
>
>
> I'm trying to change the actions of rule 960015, which is in modsecurity_crs_21_protocol_anomalies.conf.
> I added:
> SecRuleUpdateActionById 960015 "deny,status:400,msg:'Rule 960015 denied'"
> to modsecurity_crs_60_customrules.conf
> but I see no changes in the behaviour.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: https://www.modsecurity.org/tracker/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

Re: [Mod-security-developers] CRS 2.1.2 only phase:5 is shown in the log <-- SecRequestBodyLimitAction

[Ryan B. <RBa...@tr...>]

On 4/12/11 12:33 PM, "Oleg Gryb" <ole...@ya...> wrote:

>I've tried the suggested default and got error below. I've also checked
>mod-security docs and didn't find the option in question (they have
>SecResponseBodyLimitAction only)
>
>Error:
>Invalid command 'SecRequestBodyLimitAction', perhaps misspelled or
>defined by a
>module not included in the server configuration

See the reference manual -
https://sourceforge.net/apps/mediawiki/mod-security/index.php?title=Referen
ce_Manual#SecRequestBodyLimitAction

This is only available in v2.6.0 which is still in trunk.

We are working on the new Recommended Base Config as we will be bundling
it with v2.6 when it is released.

-Ryan

>
>
>
>
>----- Original Message ----
>> From: Ryan Barnett <RBa...@tr...>
>> To: Oleg Gryb <ol...@gr...>
>> Cc: Oleg Gryb <ol...@gr...>;
>>"mod...@li..."
>><mod...@li...>
>> Sent: Mon, April 11, 2011 6:13:18 PM
>> Subject: Re: [Mod-security-developers] CRS 2.1.2 only phase:5 is shown
>>in the
>>log
>>
>> You should have a separate file that handles your main config settings
>>-
>>http://sourceforge.net/apps/mediawiki/mod-security/index.php?title=Refere
>>nce_Manual#A_Recommended_Base_Configuration
>>n
>>
>> These  are settings that you maintain for your local site. These should
>>not be
>>included within 3rd party rules such as the CRS.
>>
>> Ryan
>>
>> On Apr 11,  2011, at 9:07 PM, "Oleg Gryb"
>><ole...@ya...<mailto:ole...@ya...>>  wrote:
>>
>> It helped, now I see other rules working.
>> My SecRuleEngine  setting was commented out (). It means that default
>>behavior
>>is "Off",  right?
>>
>> Probably it's better to have it as DetectionOnly by  default.
>>
>> Thanks for your help,
>> Oleg.
>>
>> From: Breno Silva <bre...@gm...<mailto:bre...@gm...>>
>> To:  <mailto:mod...@li...>
>>mod...@li...<mailto:mod-security-develop
>>er...@li...>
>>
>> Cc:  Ryan Barnett
>><RBa...@tr...<mailto:RBa...@tr...>>; Oleg
>>Gryb <ol...@gr...<mailto:ol...@gr...>>
>> Sent: Mon, April 11,  2011 5:57:52 PM
>> Subject: Re: [Mod-security-developers] CRS 2.1.2 only phase:5  is shown
>>in the
>>log
>>
>> Oleg,
>>
>> I think your SecRuleEngine is set as  Off.
>>
>> Please set it to SecRuleEngine DetectionOnly  or SecRuleEngine  On
>>
>> Thanks
>>
>> Breno
>>
>> On Mon, Apr 11, 2011 at 7:20 PM, Ryan  Barnett
>><<mailto:RBa...@tr...>RBa...@tr...<mailto:RBarnett@tr
>>ustwave.com>>
>>  wrote:
>> Can you also send your other main config file?
>>
>> On Apr 11, 2011,  at 6:55 PM, "Oleg Gryb"
>><<mailto:ole...@ya...>ole...@ya...<mailto:oleg_gryb@yahoo.c
>>om>>
>>wrote:
>>
>> > Ryan,
>> > Thank you for the quick response. Here is the  information that you've
>>requested:
>> >
>> > Apache/2.2.17  (Debian)
>> > modsecurity-apache_2.5.13
>> >
>> >
>> > The *.conf  files are attached as well. I'll try CRS 2.1.3 and let
>>you know
>>if it
>> >  works.
>> >
>> > Please let me know if you have a fix,
>> >  Oleg.
>> >
>> >
>> >
>> >
>> >
>> >
>> > ----- Original  Message ----
>> >> From: Ryan Barnett
>><<mailto:RBa...@tr...>RBa...@tr...<mailto:RBarnett@tr
>>ustwave.com>>
>>
>> >>  To: "<mailto:ol...@gr...>ol...@gr...<mailto:ol...@gr...>"
>><<mailto:ol...@gr...>ol...@gr...<mailto:ol...@gr...>>;
>> >>
>>"<mailto:mod...@li...>mod-security-devel
>>op...@li...<mailto:mod...@li...urcefo
>>rge.net>"
>>
>> >>
>><<mailto:mod...@li...>mod-security-devel
>>op...@li...<mailto:mod...@li...urcefo
>>rge.net>>
>>
>> >>  Sent: Mon, April 11, 2011 3:28:38 PM
>> >> Subject: Re:  [Mod-security-developers] CRS 2.1.2 only phase:5 is
>>shown in
>>the
>> >>  log
>> >>
>> >> Oleg,
>> >>
>> >> What Apache and  ModSecurity versions are you using?
>> >>
>> >> Can you  try  and sync from SVN and try the 2.1.3 version of CRS?
>> >>
>> >> This  does look  add as it is essentially skipping phases 1-4 and
>>then
>> >> picking up rules in  phase:5.  Can you send  your
>> >> modsecurity_crs_10_config.conf   file?
>> >>
>> >> -Ryan
>> >>
>> >> On 4/11/11 5:59 PM,  "Oleg Gryb"
>><<mailto:ole...@ya...>ole...@ya...<mailto:oleg_gryb@yahoo.c
>>om>>
>>wrote:
>> >>
>> >>> I'm trying to make dos_protection working in  CRS 2.1.2 and it
>>seems to
>me
>> >>> that something is grossly  wrong with this version. It looks  like
>>the
>only
>> >>> rules that  are executed are the ones in "phase:5",  everything
>>else is
>> >>>  completely ignored.
>> >>>
>> >>> I have debug level  set  to 9 and only rules that are shown in the
>>log
>file
>> >>> are those  that in  phase 5 (see below). Please let me know what is
>wrong.
>> >>>
>> >>> The  collections and variables that  are set in
>> >>> modsecurity_crs_10_config.conf  are not defined  (e.g. IP
>>collection and
>> >>> dos_counter_threshold   variable)
>> >>>
>> >>> This is from   modsecurity_crs_10_config.con:
>> >>>  -------------------------------------------
>> >>> SecAction   "phase:1,t:none,nolog,pass, \
>> >>>  setvar:'tx.dos_burst_time_slice=60', \
>> >>>  setvar:'tx.dos_counter_threshold=1',  \
>> >>>  setvar:'tx.dos_block_timeout=600'"
>> >>> ...
>> >>>  SecAction
>> >>>
>"phase:1,t:none,pass,nolog,initcol:global=global,initcol:ip=%{remote_addr}
>> >>>  _%{tx.ua_hash}"
>> >>> ...
>> >>>
>> >>> This   is from log file:
>> >>> ---------------------
>> >>>  [11/Apr/2011:12:15:40  --0700]
>> >>>  [localhost/sid#b85b0b18][rid#b8c2bba8][/][4] Initialising
>>transaction
>> >>> (txid TaNTXH8AAAEAAFC-AdsAAABJ).
>> >>>  [11/Apr/2011:12:15:40  --0700]
>> >>>  [localhost/sid#b85b0b18][rid#b8c2bba8][/][4] Transaction context
>created
>> >>> (dcfg b78714e0).
>> >>>  [11/Apr/2011:12:15:40  --0700]
>> >>>  [localhost/sid#b85b0b18][rid#b8c2bba8][/][4] Processing   disabled,
>> >>> skipping (hook request_early).
>> >>>  [11/Apr/2011:12:15:40  --0700]
>> >>>  [localhost/sid#b85b0b18][rid#b8c2bba8][/][4] PdfProtect: Not
>>enabled
>>here.
>> >>> [11/Apr/2011:12:15:40  --0700]
>> >>>  [localhost/sid#b85b0b18][rid#b8c2bba8][/][4] Processing   disabled,
>> >>> skipping (hook request_late).
>> >>>  [11/Apr/2011:12:15:40  --0700]
>> >>>  [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4]   Hook
>> >>> insert_filter: Adding PDF XSS protection output filter  (r
>>b8c2bba8).
>> >>> [11/Apr/2011:12:15:40   --0700]
>> >>>  [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4]   Hook
>> >>> insert_filter: Processing disabled,   skipping.
>> >>> [11/Apr/2011:12:15:40  --0700]
>> >>>  [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4]
>>Initialising
>> >>> logging.
>> >>>  [11/Apr/2011:12:15:40  --0700]
>> >>>  [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Starting
>>phase
>> >>> LOGGING.
>> >>> [11/Apr/2011:12:15:40   --0700]
>> >>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][9]  This  phase
>> >>> consists of 36 rule(s).
>> >>>  [11/Apr/2011:12:15:40  --0700]
>> >>>  [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Recipe:
>>Invoking
>> >>> rule b7ba1cb0;  [file
>> >>>
>"/etc/apache2/modsecurity-crs/base_rules/modsecurity_crs_11_dos_protection
>> >>>  .conf"]  [line "24"].
>> >>> [11/Apr/2011:12:15:40   --0700]
>> >>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][5]  Rule
>>b7ba1cb0:
>> >>> SecRule "IP:DOS_BLOCK" "@eq   1"
>> >>>  "phase:5,t:none,nolog,skipAfter:END_DOS_PROTECTION_CHECKS"
>> >>>  [11/Apr/2011:12:15:40  --0700]
>> >>>  [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Rule
>>returned  0.
>> >>> [11/Apr/2011:12:15:40  --0700]
>> >>>  [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][9] No match,
>>not
>> >>> chained -> mode NEXT_RULE.
>> >>>  [11/Apr/2011:12:15:40  --0700]
>> >>>  [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Recipe:
>>Invoking
>> >>> rule b7ba2438;  [file
>> >>>
>"/etc/apache2/modsecurity-crs/base_rules/modsecurity_crs_11_dos_protection
>> >>>  .conf"]  [line "30"].
>> >>> [11/Apr/2011:12:15:40   --0700]
>> >>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][5]  Rule
>>b7ba2438:
>> >>> SecRule "REQUEST_BASENAME" "!@rx   \\.(jpe?g|png|gif|js|css|ico)$"
>> >>>
>>"phase:5,t:none,log,pass,setvar:ip.dos_counter=+1,logdata:'THRESHOLD=
>> >>>  %{tx.dos_counter_threshold};  COUNTER=%{ip.dos_counter}'"
>> >>>  [11/Apr/2011:12:15:40  --0700]
>> >>>  [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4]
>>Transformation
>> >>> completed in 1 usec.
>> >>>  [11/Apr/2011:12:15:40  --0700]
>> >>>  [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Executing
>>operator
>> >>> "!rx" with param "\\.(jpe?g|png|gif|js|css|ico)$"   against
>> >>> REQUEST_BASENAME.
>> >>>  [11/Apr/2011:12:15:40  --0700]
>> >>>  [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][9] Target
>>value:  ""
>> >>> [11/Apr/2011:12:15:40  --0700]
>> >>>  [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][6] Ignoring
>>regex
>> >>> captures since "capture" action is not   enabled.
>> >>> [11/Apr/2011:12:15:40  --0700]
>> >>>  [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Operator
>>completed
>> >>> in 17 usec.
>> >>>  [11/Apr/2011:12:15:40  --0700]
>> >>>  [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][9] Setting
>variable:
>> >>> ip.dos_counter=+1
>> >>>  [11/Apr/2011:12:15:40  --0700]
>> >>>  [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][3] Could not
>>set
>> >>> variable "ip.dos_counter" as the collection does not   exist.
>> >>> [11/Apr/2011:12:15:40  --0700]
>> >>>  [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][2] Warning.
>>Match
>of
>> >>> "rx \\.(jpe?g|png|gif|js|css|ico)$" against  "REQUEST_BASENAME"
>>required.
>> >>> [file
>> >>>
>"/etc/apache2/modsecurity-crs/base_rules/modsecurity_crs_11_dos_protection
>> >>>  .conf"]  [line "30"] [data "THRESHOLD= ; COUNTER="]
>> >>>  [11/Apr/2011:12:15:40  --0700]
>> >>>  [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Rule
>>returned  1.
>> >>> [11/Apr/2011:12:15:40  --0700]
>> >>>  [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][9] Match  ->
>>mode
>> >>> NEXT_RULE.
>> >>> [11/Apr/2011:12:15:40   --0700]
>> >>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4]  Recipe:
>>Invoking
>> >>> rule b7ba30f8;   [file
>> >>>
>"/etc/apache2/modsecurity-crs/base_rules/modsecurity_crs_11_dos_protection
>> >>>  .conf"]  [line "37"].
>> >>> [11/Apr/2011:12:15:40   --0700]
>> >>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][5]  Rule
>>b7ba30f8:
>> >>> SecRule "IP:DOS_COUNTER" "@gt   %{tx.dos_counter_threshold}"
>> >>>
>"phase:5,t:none,nolog,pass,t:none,setvar:ip.dos_burst_counter=+1,expirevar
>> >>>
>>:ip.dos_burst_counter=%{tx.dos_burst_time_slice},setvar:!ip.dos_counter"
>> >>> ; [11/Apr/2011:12:15:40  --0700]
>> >>>  [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Rule
>>returned  0.
>> >>> [11/Apr/2011:12:15:40  --0700]
>> >>>  [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][9] No match,
>>not
>> >>> chained -> mode NEXT_RULE.
>> >>>  [11/Apr/2011:12:15:40  --0700]
>> >>>  [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Recipe:
>>Invoking
>> >>> rule b7bca648;  [file
>> >>>
>"/etc/apache2/modsecurity-crs/base_rules/modsecurity_crs_11_dos_protection
>> >>>  .conf"]  [line "44"].
>> >>> [11/Apr/2011:12:15:40   --0700]
>> >>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][5]  Rule
>>b7bca648:
>> >>> SecRule "IP:DOS_BURST_COUNTER" "@ge   1"
>> >>> "phase:5,t:none,log,pass,msg:'Potential Denial of Service  (DoS)
>>Attack
>> >>> from %{remote_addr} - # of Request   Bursts:
>> >>>
>%{ip.dos_burst_counter}',setvar:ip.dos_block=1,expirevar:ip.dos_block=%{tx
>> >>>  .dos_block_timeout}"
>> >>> [11/Apr/2011:12:15:40   --0700]
>> >>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4]  Rule
>>returned 0.
>> >>> [11/Apr/2011:12:15:40   --0700]
>> >>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][9]  No match,
>>not
>> >>> chained -> mode  NEXT_RULE.
>> >>> [11/Apr/2011:12:15:40  --0700]
>> >>>  [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Recipe:
>>Invoking
>> >>> rule b85598c8;  [file
>> >>>
>>"/etc/apache2/modsecurity-crs/base_rules/modsecurity_crs_60_correlation.c
>>o<http://modsecurity_crs_60_correlation.co>
>>
>> >>>  nf"]  [line "21"].
>> >>> [11/Apr/2011:12:15:40   --0700]
>> >>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][5]  Rule
>>b85598c8:
>> >>> SecRule "&TX:'/LEAKAGE\\\\/ERRORS/'"  "@ge  1"
>> >>>
>"phase:5,chain,t:none,log,skipAfter:END_CORRELATION,severity:0,msg:'Correl
>> >>>  ated  Successful Attack Identified: (Total Score:
>>%{tx.anomaly_score},
>> >>> SQLi=%{TX.SQL_INJECTION_SCORE},  XSS=%{TX.XSS_SCORE})  Inbound
>>Attack
>> >>> (%{tx.inbound_tx_msg}  - Inbound Anomaly  Score:
>> >>> %{TX.INBOUND_ANOMALY_SCORE}) +  Outbound Data Leakage (%{tx.msg}  -
>> >>> Outbound Anomaly  Score:  %{TX.OUTBOUND_ANOMALY_SCORE})'"
>> >>>  [11/Apr/2011:12:15:40  --0700]
>> >>>  [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4]
>>Transformation
>> >>> completed in 1 usec.
>> >>>  [11/Apr/2011:12:15:40  --0700]
>> >>>  [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Executing
>>operator
>> >>> "ge" with param "1" against   &TX:/LEAKAGE\/ERRORS/.
>> >>> [11/Apr/2011:12:15:40   --0700]
>> >>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][9]  Target
>>value: "0"
>> >>> [11/Apr/2011:12:15:40   --0700]
>> >>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4]  Operator
>completed
>> >>> in 2 usec.
>> >>>  [11/Apr/2011:12:15:40  --0700]
>> >>>  [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Rule
>>returned  0.
>> >>> [11/Apr/2011:12:15:40  --0700]
>> >>>  [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][9] No match,
>chained
>> >>> -> mode NEXT_CHAIN.
>> >>>  [11/Apr/2011:12:15:40  --0700]
>> >>>  [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Recipe:
>>Invoking
>> >>> rule b8578910;  [file
>> >>>
>>"/etc/apache2/modsecurity-crs/base_rules/modsecurity_crs_60_correlation.c
>>o<http://modsecurity_crs_60_correlation.co>
>>
>> >>> nf"]   [line "28"].
>> >>> [11/Apr/2011:12:15:40  --0700]
>> >>>  [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][5] Rule
>>b8578910:
>> >>> SecRule "&TX:'/AVAILABILITY\\\\/APP_NOT_AVAIL/'"  "@ge  1"
>> >>>
>"phase:5,chain,t:none,log,skipAfter:END_CORRELATION,severity:1,msg:'Correl
>> >>>  ated  Attack Attempt Identified: (Total Score:
>>%{tx.anomaly_score},
>> >>> SQLi=%{TX.SQL_INJECTION_SCORE},  XSS=%{TX.XSS_SCORE})  Inbound
>>Attack
>> >>> (%{tx.inbound_tx_msg}  Inbound Anomaly Score:
>%{TX.INBOUND_ANOMALY_SCORE})
>> >>> +  Outbound Application Error (%{tx.msg} -  Outbound Anomaly
>>Score:
>> >>> %{TX.OUTBOUND_ANOMALY_SCORE})'"
>> >>>  [11/Apr/2011:12:15:40  --0700]
>> >>>  [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4]
>>Transformation
>> >>> completed in 1 usec.
>> >>>  [11/Apr/2011:12:15:40  --0700]
>> >>>  [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Executing
>>operator
>> >>> "ge" with param "1" against   &TX:/AVAILABILITY\/APP_NOT_AVAIL/.
>> >>>  [11/Apr/2011:12:15:40  --0700]
>> >>>  [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][9] Target
>>value:
>"0"
>> >>> [11/Apr/2011:12:15:40  --0700]
>> >>>  [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Operator
>>completed
>> >>> in 1 usec.
>> >>> [11/Apr/2011:12:15:40   --0700]
>> >>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4]  Rule
>>returned 0.
>> >>> [11/Apr/2011:12:15:40   --0700]
>> >>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][9]  No match,
>>chained
>> >>> -> mode NEXT_CHAIN.
>> >>>  [11/Apr/2011:12:15:40  --0700]
>> >>>  [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Recipe:
>>Invoking
>> >>> rule b8574618;  [file
>> >>>
>>"/etc/apache2/modsecurity-crs/base_rules/modsecurity_crs_60_correlation.c
>>o<http://modsecurity_crs_60_correlation.co>
>>
>> >>> nf"]   [line "32"].
>> >>> [11/Apr/2011:12:15:40  --0700]
>> >>>  [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][5] Rule
>>b8574618:
>> >>> SecRule "TX:INBOUND_ANOMALY_SCORE" "@gt   0"
>> >>>
>"phase:5,chain,t:none,log,noauditlog,skipAfter:END_CORRELATION,msg:'Inboun
>> >>>  d  Anomaly Score (Total Inbound Score:
>>%{TX.INBOUND_ANOMALY_SCORE},
>> >>>  SQLi=%{TX.SQL_INJECTION_SCORE},  XSS=%{TX.XSS_SCORE}):
>> >>>  %{tx.inbound_tx_msg}'"
>> >>> [11/Apr/2011:12:15:40   --0700]
>> >>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4]  Rule
>>returned 0.
>> >>> [11/Apr/2011:12:15:40   --0700]
>> >>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][9]  No match,
>>chained
>> >>> -> mode NEXT_CHAIN.
>> >>>  [11/Apr/2011:12:15:40  --0700]
>> >>>  [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Recipe:
>>Invoking
>> >>> rule b8598b18;  [file
>> >>>
>>"/etc/apache2/modsecurity-crs/base_rules/modsecurity_crs_60_correlation.c
>>o<http://modsecurity_crs_60_correlation.co>
>>
>> >>> nf"]   [line "36"].
>> >>> [11/Apr/2011:12:15:40  --0700]
>> >>>  [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][5] Rule
>>b8598b18:
>> >>> SecRule "TX:INBOUND_ANOMALY_SCORE"   "@ge
>> >>> %{tx.inbound_anomaly_score_level}"
>> >>>  "phase:5,t:none,log,noauditlog,pass,msg:'Inbound  Anomaly Score
>>Exceeded
>> >>> (Total Inbound Score:   %{TX.INBOUND_ANOMALY_SCORE},
>> >>>  SQLi=%{TX.SQL_INJECTION_SCORE},  XSS=%{TX.XSS_SCORE}):
>> >>>  %{tx.inbound_tx_msg}'"
>> >>> [11/Apr/2011:12:15:40   --0700]
>> >>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4]  Rule
>>returned 0.
>> >>> [11/Apr/2011:12:15:40   --0700]
>> >>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][9]  No match,
>>not
>> >>> chained -> mode  NEXT_RULE.
>> >>> [11/Apr/2011:12:15:40  --0700]
>> >>>  [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Recipe:
>>Invoking
>> >>> rule b8585558;  [file
>> >>>
>>"/etc/apache2/modsecurity-crs/base_rules/modsecurity_crs_60_correlation.c
>>o<http://modsecurity_crs_60_correlation.co>
>>
>> >>> nf"]   [line "39"].
>> >>> [11/Apr/2011:12:15:40  --0700]
>> >>>  [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][5] Rule
>>b8585558:
>> >>> SecRule "TX:OUTBOUND_ANOMALY_SCORE"   "@ge
>> >>> %{tx.outbound_anomaly_score_level}"
>> >>>  "phase:5,t:none,log,noauditlog,pass,msg:'Outbound  Anomaly Score
>Exceeded
>> >>> (score %{TX.OUTBOUND_ANOMALY_SCORE}):   %{tx.msg}'"
>> >>> [11/Apr/2011:12:15:40  --0700]
>> >>>  [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Rule
>>returned  0.
>> >>> [11/Apr/2011:12:15:40  --0700]
>> >>>  [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][9] No match,
>>not
>> >>> chained -> mode NEXT_RULE.
>> >>>  [11/Apr/2011:12:15:40  --0700]
>> >>>  [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Audit log:
>> Not
>> >>> configured to run for this   request.
>> >>>
>> >>>
>> >>>
>> >>>
>--------------------------------------------------------------------------
>> >>>  ----
>> >>> Forrester  Wave Report - Recovery time is now  measured in hours and
>>minutes
>> >>> not  days. Key insights are  discussed in the 2010 Forrester Wave
>>Report
>>as
>> >>> part of an  in-depth evaluation of disaster recovery service
>>providers.
>> >>> Forrester found the best-in-class provider in terms  of  services
>>and
>> >>> vision.
>> >>> Read this report  now!   <http://p.sf.net/sfu/ibm-webcastpromo>
>>http://p.sf.net/sfu/ibm-webcastpromo
>> >>>  _______________________________________________
>> >>>  mod-security-developers  mailing list
>> >>> <mailto:mod...@li...>
>>mod...@li...<mailto:mod-security-develop
>>er...@li...>
>>
>> >>>
>><https://lists.sourceforge.net/lists/listinfo/mod-security-developers>
>>https://lists.sourceforge.net/lists/listinfo/mod-security-developers
>> >>>  ModSecurity  Services from Trustave's SpiderLabs:
>> >>> <https://www.trustwave.com/spiderLabs.php>
>>https://www.trustwave.com/spiderLabs.php
>> >>>
>> >>
>> >>
>> >>  This  transmission may contain information that is privileged,
>>confidential,
>> >> and/or  exempt from disclosure under applicable  law. If you are not
>>the
>>intended
>> >> recipient, you are hereby notified  that any disclosure, copying,
>>distribution,
>> >> or use of the  information contained herein (including any reliance
>>thereon)
>>is
>> >>  STRICTLY PROHIBITED. If you received this transmission in error,
>>please
>> >> immediately contact the sender and destroy the material in  its
>>entirety,
>>whether
>> >> in electronic or hard copy   format.
>> >>
>> >>
>> >>
>>-------------------------------------------------------------------------
>>-----
>> >>  Forrester  Wave Report - Recovery time is now measured in hours and
>>minutes
>> >> not days.  Key insights are discussed in the 2010  Forrester Wave
>>Report as
>> >> part of an  in-depth evaluation of  disaster recovery service
>>providers.
>> >> Forrester found  the  best-in-class provider in terms of services and
>>vision.
>> >> Read this  report  now!  <http://p.sf.net/sfu/ibm-webcastpromo>
>>http://p.sf.net/sfu/ibm-webcastpromo
>> >>  _______________________________________________
>> >>  mod-security-developers  mailing list
>> >> <mailto:mod...@li...>
>>mod...@li...<mailto:mod-security-develop
>>er...@li...>
>>
>> >>
>><https://lists.sourceforge.net/lists/listinfo/mod-security-developers>
>>https://lists.sourceforge.net/lists/listinfo/mod-security-developers
>> >>  ModSecurity  Services from Trustave's SpiderLabs:
>> >> <https://www.trustwave.com/spiderLabs.php>
>>https://www.trustwave.com/spiderLabs.php
>> >>
>> >  <modsecurity_crs_10_config.conf>
>> >  <modsecurity_crs_11_dos_protection.conf>
>> >
>>-------------------------------------------------------------------------
>>-----
>> >  Forrester Wave Report - Recovery time is now measured in hours and
>>minutes
>> > not days. Key insights are discussed in the 2010 Forrester Wave
>>Report as
>> > part of an in-depth evaluation of disaster recovery service
>>providers.
>> > Forrester found the best-in-class provider in terms of  services and
>>vision.
>> > Read this report now!  <http://p.sf.net/sfu/ibm-webcastpromo>
>>http://p.sf.net/sfu/ibm-webcastpromo
>> >  _______________________________________________
>> > mod-security-developers  mailing list
>> > <mailto:mod...@li...>
>>mod...@li...<mailto:mod-security-develop
>>er...@li...>
>>
>> >
>><https://lists.sourceforge.net/lists/listinfo/mod-security-developers>
>>https://lists.sourceforge.net/lists/listinfo/mod-security-developers
>> >  ModSecurity Services from Trustave's SpiderLabs:
>> > <https://www.trustwave.com/spiderLabs.php>
>>https://www.trustwave.com/spiderLabs.php
>>
>> This transmission may  contain information that is privileged,
>>confidential,
>>and/or exempt from  disclosure under applicable law. If you are not the
>>intended
>>recipient, you are  hereby notified that any disclosure, copying,
>>distribution,
>>or use of the  information contained herein (including any reliance
>>thereon) is
>>STRICTLY  PROHIBITED. If you received this transmission in error, please
>>immediately  contact the sender and destroy the material in its entirety,
>>whether in  electronic or hard copy  format.
>>
>>
>>
>>-------------------------------------------------------------------------
>>-----
>> Forrester  Wave Report - Recovery time is now measured in hours and
>>minutes
>> not days.  Key insights are discussed in the 2010 Forrester Wave Report
>>as
>> part of an  in-depth evaluation of disaster recovery service providers.
>> Forrester found  the best-in-class provider in terms of services and
>>vision.
>> Read this report  now!  <http://p.sf.net/sfu/ibm-webcastpromo>
>>http://p.sf.net/sfu/ibm-webcastpromo
>> _______________________________________________
>> mod-security-developers  mailing list
>><mailto:mod...@li...>mod-security-develo
>>pe...@li...<mailto:mod...@li...urcefor
>>ge.net>
>>>
>><https://lists.sourceforge.net/lists/listinfo/mod-security-developers>htt
>>ps://lists.sourceforge.net/lists/listinfo/mod-security-developers
>>s
>> ModSecurity  Services from Trustave's SpiderLabs:
>><https://www.trustwave.com/spiderLabs.php>https://www.trustwave.com/spide
>>rLabs.php
>>p
>>
>>
>> ________________________________
>> This  transmission may contain information that is privileged,
>>confidential,
>>and/or  exempt from disclosure under applicable law. If you are not the
>>intended
>>recipient, you are hereby notified that any disclosure, copying,
>>distribution,
>>or use of the information contained herein (including any reliance
>>thereon) is
>>STRICTLY PROHIBITED. If you received this transmission in error, please
>>immediately contact the sender and destroy the material in its entirety,
>>whether
>>in electronic or hard copy  format.
>>
>>-------------------------------------------------------------------------
>>-----
>> Forrester  Wave Report - Recovery time is now measured in hours and
>>minutes
>> not days.  Key insights are discussed in the 2010 Forrester Wave Report
>>as
>> part of an  in-depth evaluation of disaster recovery service providers.
>> Forrester found  the best-in-class provider in terms of services and
>>vision.
>> Read this report  now!  http://p.sf.net/sfu/ibm-webcastpromo
>> _______________________________________________
>> mod-security-developers  mailing list
>> mod...@li...
>> https://lists.sourceforge.net/lists/listinfo/mod-security-developers
>> ModSecurity  Services from Trustave's SpiderLabs:
>> https://www.trustwave.com/spiderLabs.php
>>
>
>--------------------------------------------------------------------------
>----
>Forrester Wave Report - Recovery time is now measured in hours and minutes
>not days. Key insights are discussed in the 2010 Forrester Wave Report as
>part of an in-depth evaluation of disaster recovery service providers.
>Forrester found the best-in-class provider in terms of services and
>vision.
>Read this report now!  http://p.sf.net/sfu/ibm-webcastpromo
>_______________________________________________
>mod-security-developers mailing list
>mod...@li...
>https://lists.sourceforge.net/lists/listinfo/mod-security-developers
>ModSecurity Services from Trustave's SpiderLabs:
>https://www.trustwave.com/spiderLabs.php
>


This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.

Re: [Mod-security-developers] CRS 2.1.2 only phase:5 is shown in the log <-- SecRequestBodyLimitAction

[Oleg G. <ole...@ya...>]

I've tried the suggested default and got error below. I've also checked 
mod-security docs and didn't find the option in question (they have 
SecResponseBodyLimitAction only)

Error:
Invalid command 'SecRequestBodyLimitAction', perhaps misspelled or defined by a 
module not included in the server configuration




----- Original Message ----
> From: Ryan Barnett <RBa...@tr...>
> To: Oleg Gryb <ol...@gr...>
> Cc: Oleg Gryb <ol...@gr...>; "mod...@li..." 
><mod...@li...>
> Sent: Mon, April 11, 2011 6:13:18 PM
> Subject: Re: [Mod-security-developers] CRS 2.1.2 only phase:5 is shown in the 
>log
> 
> You should have a separate file that handles your main config settings  -
>http://sourceforge.net/apps/mediawiki/mod-security/index.php?title=Reference_Manual#A_Recommended_Base_Configuration
>n
> 
> These  are settings that you maintain for your local site. These should not be  
>included within 3rd party rules such as the CRS.
> 
> Ryan
> 
> On Apr 11,  2011, at 9:07 PM, "Oleg Gryb" 
><ole...@ya...<mailto:ole...@ya...>>  wrote:
> 
> It helped, now I see other rules working.
> My SecRuleEngine  setting was commented out (). It means that default behavior 
>is "Off",  right?
> 
> Probably it's better to have it as DetectionOnly by  default.
> 
> Thanks for your help,
> Oleg.
> 
> From: Breno Silva <bre...@gm...<mailto:bre...@gm...>>
> To:  <mailto:mod...@li...> 
>mod...@li...<mailto:mod...@li...>
>
> Cc:  Ryan Barnett <RBa...@tr...<mailto:RBa...@tr...>>; Oleg  
>Gryb <ol...@gr...<mailto:ol...@gr...>>
> Sent: Mon, April 11,  2011 5:57:52 PM
> Subject: Re: [Mod-security-developers] CRS 2.1.2 only phase:5  is shown in the 
>log
> 
> Oleg,
> 
> I think your SecRuleEngine is set as  Off.
> 
> Please set it to SecRuleEngine DetectionOnly  or SecRuleEngine  On
> 
> Thanks
> 
> Breno
> 
> On Mon, Apr 11, 2011 at 7:20 PM, Ryan  Barnett 
><<mailto:RBa...@tr...>RBa...@tr...<mailto:RBa...@tr...>>
>  wrote:
> Can you also send your other main config file?
> 
> On Apr 11, 2011,  at 6:55 PM, "Oleg Gryb" 
><<mailto:ole...@ya...>ole...@ya...<mailto:ole...@ya...>>  
>wrote:
> 
> > Ryan,
> > Thank you for the quick response. Here is the  information that you've 
>requested:
> >
> > Apache/2.2.17  (Debian)
> > modsecurity-apache_2.5.13
> >
> >
> > The *.conf  files are attached as well. I'll try CRS 2.1.3 and let you know 
>if it
> >  works.
> >
> > Please let me know if you have a fix,
> >  Oleg.
> >
> >
> >
> >
> >
> >
> > ----- Original  Message ----
> >> From: Ryan Barnett 
><<mailto:RBa...@tr...>RBa...@tr...<mailto:RBa...@tr...>>
>
> >>  To: "<mailto:ol...@gr...>ol...@gr...<mailto:ol...@gr...>" 
><<mailto:ol...@gr...>ol...@gr...<mailto:ol...@gr...>>;
> >>  
>"<mailto:mod...@li...>mod...@li...<mailto:mod...@li...>"
>
> >>  
><<mailto:mod...@li...>mod...@li...<mailto:mod...@li...>>
>
> >>  Sent: Mon, April 11, 2011 3:28:38 PM
> >> Subject: Re:  [Mod-security-developers] CRS 2.1.2 only phase:5 is shown in 
>the
> >>  log
> >>
> >> Oleg,
> >>
> >> What Apache and  ModSecurity versions are you using?
> >>
> >> Can you  try  and sync from SVN and try the 2.1.3 version of CRS?
> >>
> >> This  does look  add as it is essentially skipping phases 1-4 and  then
> >> picking up rules in  phase:5.  Can you send  your
> >> modsecurity_crs_10_config.conf   file?
> >>
> >> -Ryan
> >>
> >> On 4/11/11 5:59 PM,  "Oleg Gryb" 
><<mailto:ole...@ya...>ole...@ya...<mailto:ole...@ya...>>   
>wrote:
> >>
> >>> I'm trying to make dos_protection working in  CRS 2.1.2 and it  seems to 
me
> >>> that something is grossly  wrong with this version. It looks  like the 
only
> >>> rules that  are executed are the ones in "phase:5",  everything else is
> >>>  completely ignored.
> >>>
> >>> I have debug level  set  to 9 and only rules that are shown in the log 
file
> >>> are those  that in  phase 5 (see below). Please let me know what is  
wrong.
> >>>
> >>> The  collections and variables that  are set in
> >>> modsecurity_crs_10_config.conf  are not defined  (e.g. IP collection and
> >>> dos_counter_threshold   variable)
> >>>
> >>> This is from   modsecurity_crs_10_config.con:
> >>>  -------------------------------------------
> >>> SecAction   "phase:1,t:none,nolog,pass, \
> >>>  setvar:'tx.dos_burst_time_slice=60', \
> >>>  setvar:'tx.dos_counter_threshold=1',  \
> >>>  setvar:'tx.dos_block_timeout=600'"
> >>> ...
> >>>  SecAction
> >>>  
"phase:1,t:none,pass,nolog,initcol:global=global,initcol:ip=%{remote_addr}
> >>>  _%{tx.ua_hash}"
> >>> ...
> >>>
> >>> This   is from log file:
> >>> ---------------------
> >>>  [11/Apr/2011:12:15:40  --0700]
> >>>  [localhost/sid#b85b0b18][rid#b8c2bba8][/][4] Initialising   transaction
> >>> (txid TaNTXH8AAAEAAFC-AdsAAABJ).
> >>>  [11/Apr/2011:12:15:40  --0700]
> >>>  [localhost/sid#b85b0b18][rid#b8c2bba8][/][4] Transaction context   
created
> >>> (dcfg b78714e0).
> >>>  [11/Apr/2011:12:15:40  --0700]
> >>>  [localhost/sid#b85b0b18][rid#b8c2bba8][/][4] Processing   disabled,
> >>> skipping (hook request_early).
> >>>  [11/Apr/2011:12:15:40  --0700]
> >>>  [localhost/sid#b85b0b18][rid#b8c2bba8][/][4] PdfProtect: Not  enabled  
>here.
> >>> [11/Apr/2011:12:15:40  --0700]
> >>>  [localhost/sid#b85b0b18][rid#b8c2bba8][/][4] Processing   disabled,
> >>> skipping (hook request_late).
> >>>  [11/Apr/2011:12:15:40  --0700]
> >>>  [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4]   Hook
> >>> insert_filter: Adding PDF XSS protection output filter  (r  b8c2bba8).
> >>> [11/Apr/2011:12:15:40   --0700]
> >>>  [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4]   Hook
> >>> insert_filter: Processing disabled,   skipping.
> >>> [11/Apr/2011:12:15:40  --0700]
> >>>  [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4]   Initialising
> >>> logging.
> >>>  [11/Apr/2011:12:15:40  --0700]
> >>>  [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Starting   phase
> >>> LOGGING.
> >>> [11/Apr/2011:12:15:40   --0700]
> >>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][9]  This  phase
> >>> consists of 36 rule(s).
> >>>  [11/Apr/2011:12:15:40  --0700]
> >>>  [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Recipe:   Invoking
> >>> rule b7ba1cb0;  [file
> >>>  
"/etc/apache2/modsecurity-crs/base_rules/modsecurity_crs_11_dos_protection
> >>>  .conf"]  [line "24"].
> >>> [11/Apr/2011:12:15:40   --0700]
> >>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][5]  Rule  b7ba1cb0:
> >>> SecRule "IP:DOS_BLOCK" "@eq   1"
> >>>  "phase:5,t:none,nolog,skipAfter:END_DOS_PROTECTION_CHECKS"
> >>>  [11/Apr/2011:12:15:40  --0700]
> >>>  [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Rule  returned  0.
> >>> [11/Apr/2011:12:15:40  --0700]
> >>>  [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][9] No match,   not
> >>> chained -> mode NEXT_RULE.
> >>>  [11/Apr/2011:12:15:40  --0700]
> >>>  [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Recipe:   Invoking
> >>> rule b7ba2438;  [file
> >>>  
"/etc/apache2/modsecurity-crs/base_rules/modsecurity_crs_11_dos_protection
> >>>  .conf"]  [line "30"].
> >>> [11/Apr/2011:12:15:40   --0700]
> >>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][5]  Rule  b7ba2438:
> >>> SecRule "REQUEST_BASENAME" "!@rx   \\.(jpe?g|png|gif|js|css|ico)$"
> >>>  "phase:5,t:none,log,pass,setvar:ip.dos_counter=+1,logdata:'THRESHOLD=
> >>>  %{tx.dos_counter_threshold};  COUNTER=%{ip.dos_counter}'"
> >>>  [11/Apr/2011:12:15:40  --0700]
> >>>  [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4]   Transformation
> >>> completed in 1 usec.
> >>>  [11/Apr/2011:12:15:40  --0700]
> >>>  [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Executing   
>operator
> >>> "!rx" with param "\\.(jpe?g|png|gif|js|css|ico)$"   against
> >>> REQUEST_BASENAME.
> >>>  [11/Apr/2011:12:15:40  --0700]
> >>>  [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][9] Target  value:  ""
> >>> [11/Apr/2011:12:15:40  --0700]
> >>>  [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][6] Ignoring   regex
> >>> captures since "capture" action is not   enabled.
> >>> [11/Apr/2011:12:15:40  --0700]
> >>>  [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Operator   
>completed
> >>> in 17 usec.
> >>>  [11/Apr/2011:12:15:40  --0700]
> >>>  [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][9] Setting   
variable:
> >>> ip.dos_counter=+1
> >>>  [11/Apr/2011:12:15:40  --0700]
> >>>  [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][3] Could not   set
> >>> variable "ip.dos_counter" as the collection does not   exist.
> >>> [11/Apr/2011:12:15:40  --0700]
> >>>  [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][2] Warning.  Match  
of
> >>> "rx \\.(jpe?g|png|gif|js|css|ico)$" against  "REQUEST_BASENAME"  required.
> >>> [file
> >>>  
"/etc/apache2/modsecurity-crs/base_rules/modsecurity_crs_11_dos_protection
> >>>  .conf"]  [line "30"] [data "THRESHOLD= ; COUNTER="]
> >>>  [11/Apr/2011:12:15:40  --0700]
> >>>  [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Rule  returned  1.
> >>> [11/Apr/2011:12:15:40  --0700]
> >>>  [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][9] Match  ->  mode
> >>> NEXT_RULE.
> >>> [11/Apr/2011:12:15:40   --0700]
> >>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4]  Recipe:  Invoking
> >>> rule b7ba30f8;   [file
> >>>  
"/etc/apache2/modsecurity-crs/base_rules/modsecurity_crs_11_dos_protection
> >>>  .conf"]  [line "37"].
> >>> [11/Apr/2011:12:15:40   --0700]
> >>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][5]  Rule  b7ba30f8:
> >>> SecRule "IP:DOS_COUNTER" "@gt   %{tx.dos_counter_threshold}"
> >>>  
"phase:5,t:none,nolog,pass,t:none,setvar:ip.dos_burst_counter=+1,expirevar
> >>> :ip.dos_burst_counter=%{tx.dos_burst_time_slice},setvar:!ip.dos_counter"
> >>> ; [11/Apr/2011:12:15:40  --0700]
> >>>  [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Rule  returned  0.
> >>> [11/Apr/2011:12:15:40  --0700]
> >>>  [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][9] No match,   not
> >>> chained -> mode NEXT_RULE.
> >>>  [11/Apr/2011:12:15:40  --0700]
> >>>  [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Recipe:   Invoking
> >>> rule b7bca648;  [file
> >>>  
"/etc/apache2/modsecurity-crs/base_rules/modsecurity_crs_11_dos_protection
> >>>  .conf"]  [line "44"].
> >>> [11/Apr/2011:12:15:40   --0700]
> >>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][5]  Rule  b7bca648:
> >>> SecRule "IP:DOS_BURST_COUNTER" "@ge   1"
> >>> "phase:5,t:none,log,pass,msg:'Potential Denial of Service  (DoS)  Attack
> >>> from %{remote_addr} - # of Request   Bursts:
> >>>  
%{ip.dos_burst_counter}',setvar:ip.dos_block=1,expirevar:ip.dos_block=%{tx
> >>>  .dos_block_timeout}"
> >>> [11/Apr/2011:12:15:40   --0700]
> >>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4]  Rule  returned 0.
> >>> [11/Apr/2011:12:15:40   --0700]
> >>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][9]  No match,  not
> >>> chained -> mode  NEXT_RULE.
> >>> [11/Apr/2011:12:15:40  --0700]
> >>>  [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Recipe:   Invoking
> >>> rule b85598c8;  [file
> >>>  
>"/etc/apache2/modsecurity-crs/base_rules/modsecurity_crs_60_correlation.co<http://modsecurity_crs_60_correlation.co>
>
> >>>  nf"]  [line "21"].
> >>> [11/Apr/2011:12:15:40   --0700]
> >>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][5]  Rule  b85598c8:
> >>> SecRule "&TX:'/LEAKAGE\\\\/ERRORS/'"  "@ge  1"
> >>>  
"phase:5,chain,t:none,log,skipAfter:END_CORRELATION,severity:0,msg:'Correl
> >>>  ated  Successful Attack Identified: (Total Score:   %{tx.anomaly_score},
> >>> SQLi=%{TX.SQL_INJECTION_SCORE},  XSS=%{TX.XSS_SCORE})  Inbound Attack
> >>> (%{tx.inbound_tx_msg}  - Inbound Anomaly  Score:
> >>> %{TX.INBOUND_ANOMALY_SCORE}) +  Outbound Data Leakage (%{tx.msg}  -
> >>> Outbound Anomaly  Score:  %{TX.OUTBOUND_ANOMALY_SCORE})'"
> >>>  [11/Apr/2011:12:15:40  --0700]
> >>>  [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4]   Transformation
> >>> completed in 1 usec.
> >>>  [11/Apr/2011:12:15:40  --0700]
> >>>  [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Executing   
>operator
> >>> "ge" with param "1" against   &TX:/LEAKAGE\/ERRORS/.
> >>> [11/Apr/2011:12:15:40   --0700]
> >>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][9]  Target  value: "0"
> >>> [11/Apr/2011:12:15:40   --0700]
> >>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4]  Operator  
completed
> >>> in 2 usec.
> >>>  [11/Apr/2011:12:15:40  --0700]
> >>>  [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Rule  returned  0.
> >>> [11/Apr/2011:12:15:40  --0700]
> >>>  [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][9] No match,   
chained
> >>> -> mode NEXT_CHAIN.
> >>>  [11/Apr/2011:12:15:40  --0700]
> >>>  [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Recipe:   Invoking
> >>> rule b8578910;  [file
> >>>  
>"/etc/apache2/modsecurity-crs/base_rules/modsecurity_crs_60_correlation.co<http://modsecurity_crs_60_correlation.co>
>
> >>> nf"]   [line "28"].
> >>> [11/Apr/2011:12:15:40  --0700]
> >>>  [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][5] Rule   b8578910:
> >>> SecRule "&TX:'/AVAILABILITY\\\\/APP_NOT_AVAIL/'"  "@ge  1"
> >>>  
"phase:5,chain,t:none,log,skipAfter:END_CORRELATION,severity:1,msg:'Correl
> >>>  ated  Attack Attempt Identified: (Total Score:   %{tx.anomaly_score},
> >>> SQLi=%{TX.SQL_INJECTION_SCORE},  XSS=%{TX.XSS_SCORE})  Inbound Attack
> >>> (%{tx.inbound_tx_msg}  Inbound Anomaly Score:  
%{TX.INBOUND_ANOMALY_SCORE})
> >>> +  Outbound Application Error (%{tx.msg} -  Outbound Anomaly   Score:
> >>> %{TX.OUTBOUND_ANOMALY_SCORE})'"
> >>>  [11/Apr/2011:12:15:40  --0700]
> >>>  [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4]   Transformation
> >>> completed in 1 usec.
> >>>  [11/Apr/2011:12:15:40  --0700]
> >>>  [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Executing   
>operator
> >>> "ge" with param "1" against   &TX:/AVAILABILITY\/APP_NOT_AVAIL/.
> >>>  [11/Apr/2011:12:15:40  --0700]
> >>>  [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][9] Target  value:  
"0"
> >>> [11/Apr/2011:12:15:40  --0700]
> >>>  [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Operator   
>completed
> >>> in 1 usec.
> >>> [11/Apr/2011:12:15:40   --0700]
> >>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4]  Rule  returned 0.
> >>> [11/Apr/2011:12:15:40   --0700]
> >>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][9]  No match,  chained
> >>> -> mode NEXT_CHAIN.
> >>>  [11/Apr/2011:12:15:40  --0700]
> >>>  [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Recipe:   Invoking
> >>> rule b8574618;  [file
> >>>  
>"/etc/apache2/modsecurity-crs/base_rules/modsecurity_crs_60_correlation.co<http://modsecurity_crs_60_correlation.co>
>
> >>> nf"]   [line "32"].
> >>> [11/Apr/2011:12:15:40  --0700]
> >>>  [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][5] Rule   b8574618:
> >>> SecRule "TX:INBOUND_ANOMALY_SCORE" "@gt   0"
> >>>  
"phase:5,chain,t:none,log,noauditlog,skipAfter:END_CORRELATION,msg:'Inboun
> >>>  d  Anomaly Score (Total Inbound Score:   %{TX.INBOUND_ANOMALY_SCORE},
> >>>  SQLi=%{TX.SQL_INJECTION_SCORE},  XSS=%{TX.XSS_SCORE}):
> >>>  %{tx.inbound_tx_msg}'"
> >>> [11/Apr/2011:12:15:40   --0700]
> >>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4]  Rule  returned 0.
> >>> [11/Apr/2011:12:15:40   --0700]
> >>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][9]  No match,  chained
> >>> -> mode NEXT_CHAIN.
> >>>  [11/Apr/2011:12:15:40  --0700]
> >>>  [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Recipe:   Invoking
> >>> rule b8598b18;  [file
> >>>  
>"/etc/apache2/modsecurity-crs/base_rules/modsecurity_crs_60_correlation.co<http://modsecurity_crs_60_correlation.co>
>
> >>> nf"]   [line "36"].
> >>> [11/Apr/2011:12:15:40  --0700]
> >>>  [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][5] Rule   b8598b18:
> >>> SecRule "TX:INBOUND_ANOMALY_SCORE"   "@ge
> >>> %{tx.inbound_anomaly_score_level}"
> >>>  "phase:5,t:none,log,noauditlog,pass,msg:'Inbound  Anomaly Score  Exceeded
> >>> (Total Inbound Score:   %{TX.INBOUND_ANOMALY_SCORE},
> >>>  SQLi=%{TX.SQL_INJECTION_SCORE},  XSS=%{TX.XSS_SCORE}):
> >>>  %{tx.inbound_tx_msg}'"
> >>> [11/Apr/2011:12:15:40   --0700]
> >>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4]  Rule  returned 0.
> >>> [11/Apr/2011:12:15:40   --0700]
> >>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][9]  No match,  not
> >>> chained -> mode  NEXT_RULE.
> >>> [11/Apr/2011:12:15:40  --0700]
> >>>  [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Recipe:   Invoking
> >>> rule b8585558;  [file
> >>>  
>"/etc/apache2/modsecurity-crs/base_rules/modsecurity_crs_60_correlation.co<http://modsecurity_crs_60_correlation.co>
>
> >>> nf"]   [line "39"].
> >>> [11/Apr/2011:12:15:40  --0700]
> >>>  [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][5] Rule   b8585558:
> >>> SecRule "TX:OUTBOUND_ANOMALY_SCORE"   "@ge
> >>> %{tx.outbound_anomaly_score_level}"
> >>>  "phase:5,t:none,log,noauditlog,pass,msg:'Outbound  Anomaly Score  
Exceeded
> >>> (score %{TX.OUTBOUND_ANOMALY_SCORE}):   %{tx.msg}'"
> >>> [11/Apr/2011:12:15:40  --0700]
> >>>  [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Rule  returned  0.
> >>> [11/Apr/2011:12:15:40  --0700]
> >>>  [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][9] No match,   not
> >>> chained -> mode NEXT_RULE.
> >>>  [11/Apr/2011:12:15:40  --0700]
> >>>  [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Audit log:   Not
> >>> configured to run for this   request.
> >>>
> >>>
> >>>
> >>>  
--------------------------------------------------------------------------
> >>>  ----
> >>> Forrester  Wave Report - Recovery time is now  measured in hours and 
>minutes
> >>> not  days. Key insights are  discussed in the 2010 Forrester Wave Report  
>as
> >>> part of an  in-depth evaluation of disaster recovery service   providers.
> >>> Forrester found the best-in-class provider in terms  of  services and
> >>> vision.
> >>> Read this report  now!   <http://p.sf.net/sfu/ibm-webcastpromo> 
>http://p.sf.net/sfu/ibm-webcastpromo
> >>>  _______________________________________________
> >>>  mod-security-developers  mailing list
> >>> <mailto:mod...@li...> 
>mod...@li...<mailto:mod...@li...>
>
> >>>  <https://lists.sourceforge.net/lists/listinfo/mod-security-developers> 
>https://lists.sourceforge.net/lists/listinfo/mod-security-developers
> >>>  ModSecurity  Services from Trustave's SpiderLabs:
> >>> <https://www.trustwave.com/spiderLabs.php> 
>https://www.trustwave.com/spiderLabs.php
> >>>
> >>
> >>
> >>  This  transmission may contain information that is privileged,  
>confidential,
> >> and/or  exempt from disclosure under applicable  law. If you are not the 
>intended
> >> recipient, you are hereby notified  that any disclosure, copying, 
>distribution,
> >> or use of the  information contained herein (including any reliance thereon) 
>is
> >>  STRICTLY PROHIBITED. If you received this transmission in error,  please
> >> immediately contact the sender and destroy the material in  its entirety, 
>whether
> >> in electronic or hard copy   format.
> >>
> >>
> >>  
>------------------------------------------------------------------------------
> >>  Forrester  Wave Report - Recovery time is now measured in hours and  
>minutes
> >> not days.  Key insights are discussed in the 2010  Forrester Wave Report as
> >> part of an  in-depth evaluation of  disaster recovery service providers.
> >> Forrester found  the  best-in-class provider in terms of services and 
>vision.
> >> Read this  report  now!  <http://p.sf.net/sfu/ibm-webcastpromo> 
>http://p.sf.net/sfu/ibm-webcastpromo
> >>  _______________________________________________
> >>  mod-security-developers  mailing list
> >> <mailto:mod...@li...> 
>mod...@li...<mailto:mod...@li...>
>
> >>  <https://lists.sourceforge.net/lists/listinfo/mod-security-developers> 
>https://lists.sourceforge.net/lists/listinfo/mod-security-developers
> >>  ModSecurity  Services from Trustave's SpiderLabs:
> >> <https://www.trustwave.com/spiderLabs.php> 
>https://www.trustwave.com/spiderLabs.php
> >>
> >  <modsecurity_crs_10_config.conf>
> >  <modsecurity_crs_11_dos_protection.conf>
> >  
>------------------------------------------------------------------------------
> >  Forrester Wave Report - Recovery time is now measured in hours and  minutes
> > not days. Key insights are discussed in the 2010 Forrester Wave  Report as
> > part of an in-depth evaluation of disaster recovery service  providers.
> > Forrester found the best-in-class provider in terms of  services and vision.
> > Read this report now!  <http://p.sf.net/sfu/ibm-webcastpromo> 
>http://p.sf.net/sfu/ibm-webcastpromo
> >  _______________________________________________
> > mod-security-developers  mailing list
> > <mailto:mod...@li...> 
>mod...@li...<mailto:mod...@li...>
>
> >  <https://lists.sourceforge.net/lists/listinfo/mod-security-developers> 
>https://lists.sourceforge.net/lists/listinfo/mod-security-developers
> >  ModSecurity Services from Trustave's SpiderLabs:
> > <https://www.trustwave.com/spiderLabs.php> 
>https://www.trustwave.com/spiderLabs.php
> 
> This transmission may  contain information that is privileged, confidential, 
>and/or exempt from  disclosure under applicable law. If you are not the intended 
>recipient, you are  hereby notified that any disclosure, copying, distribution, 
>or use of the  information contained herein (including any reliance thereon) is 
>STRICTLY  PROHIBITED. If you received this transmission in error, please 
>immediately  contact the sender and destroy the material in its entirety, 
>whether in  electronic or hard copy  format.
> 
> 
> ------------------------------------------------------------------------------
> Forrester  Wave Report - Recovery time is now measured in hours and minutes
> not days.  Key insights are discussed in the 2010 Forrester Wave Report as
> part of an  in-depth evaluation of disaster recovery service providers.
> Forrester found  the best-in-class provider in terms of services and vision.
> Read this report  now!  <http://p.sf.net/sfu/ibm-webcastpromo> 
>http://p.sf.net/sfu/ibm-webcastpromo
> _______________________________________________
> mod-security-developers  mailing list
><mailto:mod...@li...>mod...@li...<mailto:mod...@li...>
>>
><https://lists.sourceforge.net/lists/listinfo/mod-security-developers>https://lists.sourceforge.net/lists/listinfo/mod-security-developers
>s
> ModSecurity  Services from Trustave's SpiderLabs:
><https://www.trustwave.com/spiderLabs.php>https://www.trustwave.com/spiderLabs.php
>p
> 
> 
> ________________________________
> This  transmission may contain information that is privileged, confidential, 
>and/or  exempt from disclosure under applicable law. If you are not the intended  
>recipient, you are hereby notified that any disclosure, copying, distribution,  
>or use of the information contained herein (including any reliance thereon) is  
>STRICTLY PROHIBITED. If you received this transmission in error, please  
>immediately contact the sender and destroy the material in its entirety, whether  
>in electronic or hard copy  format.
> ------------------------------------------------------------------------------
> Forrester  Wave Report - Recovery time is now measured in hours and minutes
> not days.  Key insights are discussed in the 2010 Forrester Wave Report as
> part of an  in-depth evaluation of disaster recovery service providers.
> Forrester found  the best-in-class provider in terms of services and vision.
> Read this report  now!  http://p.sf.net/sfu/ibm-webcastpromo
> _______________________________________________
> mod-security-developers  mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-developers
> ModSecurity  Services from Trustave's SpiderLabs:
> https://www.trustwave.com/spiderLabs.php
> 

Re: [Mod-security-developers] CRS 2.1.2 only phase:5 is shown in the log

[Ryan B. <RBa...@tr...>]

You should have a separate file that handles your main config settings -
http://sourceforge.net/apps/mediawiki/mod-security/index.php?title=Reference_Manual#A_Recommended_Base_Configuration

These are settings that you maintain for your local site. These should not be included within 3rd party rules such as the CRS.

Ryan

On Apr 11, 2011, at 9:07 PM, "Oleg Gryb" <ole...@ya...<mailto:ole...@ya...>> wrote:

It helped, now I see other rules working.
My SecRuleEngine setting was commented out (). It means that default behavior is "Off", right?

Probably it's better to have it as DetectionOnly by default.

Thanks for your help,
Oleg.

From: Breno Silva <bre...@gm...<mailto:bre...@gm...>>
To: <mailto:mod...@li...> mod...@li...<mailto:mod...@li...>
Cc: Ryan Barnett <RBa...@tr...<mailto:RBa...@tr...>>; Oleg Gryb <ol...@gr...<mailto:ol...@gr...>>
Sent: Mon, April 11, 2011 5:57:52 PM
Subject: Re: [Mod-security-developers] CRS 2.1.2 only phase:5 is shown in the log

Oleg,

I think your SecRuleEngine is set as Off.

Please set it to SecRuleEngine DetectionOnly  or SecRuleEngine On

Thanks

Breno

On Mon, Apr 11, 2011 at 7:20 PM, Ryan Barnett <<mailto:RBa...@tr...>RBa...@tr...<mailto:RBa...@tr...>> wrote:
Can you also send your other main config file?

On Apr 11, 2011, at 6:55 PM, "Oleg Gryb" <<mailto:ole...@ya...>ole...@ya...<mailto:ole...@ya...>> wrote:

> Ryan,
> Thank you for the quick response. Here is the information that you've requested:
>
> Apache/2.2.17 (Debian)
> modsecurity-apache_2.5.13
>
>
> The *.conf files are attached as well. I'll try CRS 2.1.3 and let you know if it
> works.
>
> Please let me know if you have a fix,
> Oleg.
>
>
>
>
>
>
> ----- Original Message ----
>> From: Ryan Barnett <<mailto:RBa...@tr...>RBa...@tr...<mailto:RBa...@tr...>>
>> To: "<mailto:ol...@gr...>ol...@gr...<mailto:ol...@gr...>" <<mailto:ol...@gr...>ol...@gr...<mailto:ol...@gr...>>;
>> "<mailto:mod...@li...>mod...@li...<mailto:mod...@li...>"
>> <<mailto:mod...@li...>mod...@li...<mailto:mod...@li...>>
>> Sent: Mon, April 11, 2011 3:28:38 PM
>> Subject: Re: [Mod-security-developers] CRS 2.1.2 only phase:5 is shown in the
>> log
>>
>> Oleg,
>>
>> What Apache and ModSecurity versions are you using?
>>
>> Can you  try and sync from SVN and try the 2.1.3 version of CRS?
>>
>> This does look  add as it is essentially skipping phases 1-4 and then
>> picking up rules in  phase:5.  Can you send your
>> modsecurity_crs_10_config.conf  file?
>>
>> -Ryan
>>
>> On 4/11/11 5:59 PM, "Oleg Gryb" <<mailto:ole...@ya...>ole...@ya...<mailto:ole...@ya...>>  wrote:
>>
>>> I'm trying to make dos_protection working in CRS 2.1.2 and it  seems to me
>>> that something is grossly wrong with this version. It looks  like the only
>>> rules that are executed are the ones in "phase:5",  everything else is
>>> completely ignored.
>>>
>>> I have debug level  set to 9 and only rules that are shown in the log file
>>> are those that in  phase 5 (see below). Please let me know what is wrong.
>>>
>>> The  collections and variables that are set in
>>> modsecurity_crs_10_config.conf  are not defined (e.g. IP collection and
>>> dos_counter_threshold  variable)
>>>
>>> This is from  modsecurity_crs_10_config.con:
>>> -------------------------------------------
>>> SecAction  "phase:1,t:none,nolog,pass, \
>>> setvar:'tx.dos_burst_time_slice=60', \
>>> setvar:'tx.dos_counter_threshold=1',  \
>>> setvar:'tx.dos_block_timeout=600'"
>>> ...
>>> SecAction
>>> "phase:1,t:none,pass,nolog,initcol:global=global,initcol:ip=%{remote_addr}
>>> _%{tx.ua_hash}"
>>> ...
>>>
>>> This  is from log file:
>>> ---------------------
>>> [11/Apr/2011:12:15:40  --0700]
>>> [localhost/sid#b85b0b18][rid#b8c2bba8][/][4] Initialising  transaction
>>> (txid TaNTXH8AAAEAAFC-AdsAAABJ).
>>> [11/Apr/2011:12:15:40  --0700]
>>> [localhost/sid#b85b0b18][rid#b8c2bba8][/][4] Transaction context  created
>>> (dcfg b78714e0).
>>> [11/Apr/2011:12:15:40  --0700]
>>> [localhost/sid#b85b0b18][rid#b8c2bba8][/][4] Processing  disabled,
>>> skipping (hook request_early).
>>> [11/Apr/2011:12:15:40  --0700]
>>> [localhost/sid#b85b0b18][rid#b8c2bba8][/][4] PdfProtect: Not  enabled here.
>>> [11/Apr/2011:12:15:40  --0700]
>>> [localhost/sid#b85b0b18][rid#b8c2bba8][/][4] Processing  disabled,
>>> skipping (hook request_late).
>>> [11/Apr/2011:12:15:40  --0700]
>>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4]  Hook
>>> insert_filter: Adding PDF XSS protection output filter (r  b8c2bba8).
>>> [11/Apr/2011:12:15:40  --0700]
>>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4]  Hook
>>> insert_filter: Processing disabled,  skipping.
>>> [11/Apr/2011:12:15:40  --0700]
>>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4]  Initialising
>>> logging.
>>> [11/Apr/2011:12:15:40  --0700]
>>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Starting  phase
>>> LOGGING.
>>> [11/Apr/2011:12:15:40  --0700]
>>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][9] This  phase
>>> consists of 36 rule(s).
>>> [11/Apr/2011:12:15:40  --0700]
>>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Recipe:  Invoking
>>> rule b7ba1cb0;  [file
>>> "/etc/apache2/modsecurity-crs/base_rules/modsecurity_crs_11_dos_protection
>>> .conf"]  [line "24"].
>>> [11/Apr/2011:12:15:40  --0700]
>>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][5] Rule  b7ba1cb0:
>>> SecRule "IP:DOS_BLOCK" "@eq  1"
>>> "phase:5,t:none,nolog,skipAfter:END_DOS_PROTECTION_CHECKS"
>>> [11/Apr/2011:12:15:40  --0700]
>>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Rule  returned 0.
>>> [11/Apr/2011:12:15:40  --0700]
>>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][9] No match,  not
>>> chained -> mode NEXT_RULE.
>>> [11/Apr/2011:12:15:40  --0700]
>>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Recipe:  Invoking
>>> rule b7ba2438;  [file
>>> "/etc/apache2/modsecurity-crs/base_rules/modsecurity_crs_11_dos_protection
>>> .conf"]  [line "30"].
>>> [11/Apr/2011:12:15:40  --0700]
>>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][5] Rule  b7ba2438:
>>> SecRule "REQUEST_BASENAME" "!@rx  \\.(jpe?g|png|gif|js|css|ico)$"
>>> "phase:5,t:none,log,pass,setvar:ip.dos_counter=+1,logdata:'THRESHOLD=
>>> %{tx.dos_counter_threshold};  COUNTER=%{ip.dos_counter}'"
>>> [11/Apr/2011:12:15:40  --0700]
>>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4]  Transformation
>>> completed in 1 usec.
>>> [11/Apr/2011:12:15:40  --0700]
>>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Executing  operator
>>> "!rx" with param "\\.(jpe?g|png|gif|js|css|ico)$"  against
>>> REQUEST_BASENAME.
>>> [11/Apr/2011:12:15:40  --0700]
>>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][9] Target  value: ""
>>> [11/Apr/2011:12:15:40  --0700]
>>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][6] Ignoring  regex
>>> captures since "capture" action is not  enabled.
>>> [11/Apr/2011:12:15:40  --0700]
>>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Operator  completed
>>> in 17 usec.
>>> [11/Apr/2011:12:15:40  --0700]
>>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][9] Setting  variable:
>>> ip.dos_counter=+1
>>> [11/Apr/2011:12:15:40  --0700]
>>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][3] Could not  set
>>> variable "ip.dos_counter" as the collection does not  exist.
>>> [11/Apr/2011:12:15:40  --0700]
>>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][2] Warning.  Match of
>>> "rx \\.(jpe?g|png|gif|js|css|ico)$" against "REQUEST_BASENAME"  required.
>>> [file
>>> "/etc/apache2/modsecurity-crs/base_rules/modsecurity_crs_11_dos_protection
>>> .conf"]  [line "30"] [data "THRESHOLD= ; COUNTER="]
>>> [11/Apr/2011:12:15:40  --0700]
>>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Rule  returned 1.
>>> [11/Apr/2011:12:15:40  --0700]
>>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][9] Match  -> mode
>>> NEXT_RULE.
>>> [11/Apr/2011:12:15:40  --0700]
>>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Recipe:  Invoking
>>> rule b7ba30f8;  [file
>>> "/etc/apache2/modsecurity-crs/base_rules/modsecurity_crs_11_dos_protection
>>> .conf"]  [line "37"].
>>> [11/Apr/2011:12:15:40  --0700]
>>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][5] Rule  b7ba30f8:
>>> SecRule "IP:DOS_COUNTER" "@gt  %{tx.dos_counter_threshold}"
>>> "phase:5,t:none,nolog,pass,t:none,setvar:ip.dos_burst_counter=+1,expirevar
>>> :ip.dos_burst_counter=%{tx.dos_burst_time_slice},setvar:!ip.dos_counter"
>>> [11/Apr/2011:12:15:40  --0700]
>>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Rule  returned 0.
>>> [11/Apr/2011:12:15:40  --0700]
>>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][9] No match,  not
>>> chained -> mode NEXT_RULE.
>>> [11/Apr/2011:12:15:40  --0700]
>>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Recipe:  Invoking
>>> rule b7bca648;  [file
>>> "/etc/apache2/modsecurity-crs/base_rules/modsecurity_crs_11_dos_protection
>>> .conf"]  [line "44"].
>>> [11/Apr/2011:12:15:40  --0700]
>>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][5] Rule  b7bca648:
>>> SecRule "IP:DOS_BURST_COUNTER" "@ge  1"
>>> "phase:5,t:none,log,pass,msg:'Potential Denial of Service (DoS)  Attack
>>> from %{remote_addr} - # of Request  Bursts:
>>> %{ip.dos_burst_counter}',setvar:ip.dos_block=1,expirevar:ip.dos_block=%{tx
>>> .dos_block_timeout}"
>>> [11/Apr/2011:12:15:40  --0700]
>>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Rule  returned 0.
>>> [11/Apr/2011:12:15:40  --0700]
>>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][9] No match,  not
>>> chained -> mode NEXT_RULE.
>>> [11/Apr/2011:12:15:40  --0700]
>>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Recipe:  Invoking
>>> rule b85598c8;  [file
>>> "/etc/apache2/modsecurity-crs/base_rules/modsecurity_crs_60_correlation.co<http://modsecurity_crs_60_correlation.co>
>>> nf"]  [line "21"].
>>> [11/Apr/2011:12:15:40  --0700]
>>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][5] Rule  b85598c8:
>>> SecRule "&TX:'/LEAKAGE\\\\/ERRORS/'" "@ge  1"
>>> "phase:5,chain,t:none,log,skipAfter:END_CORRELATION,severity:0,msg:'Correl
>>> ated  Successful Attack Identified: (Total Score:  %{tx.anomaly_score},
>>> SQLi=%{TX.SQL_INJECTION_SCORE}, XSS=%{TX.XSS_SCORE})  Inbound Attack
>>> (%{tx.inbound_tx_msg} - Inbound Anomaly  Score:
>>> %{TX.INBOUND_ANOMALY_SCORE}) + Outbound Data Leakage (%{tx.msg}  -
>>> Outbound Anomaly Score:  %{TX.OUTBOUND_ANOMALY_SCORE})'"
>>> [11/Apr/2011:12:15:40  --0700]
>>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4]  Transformation
>>> completed in 1 usec.
>>> [11/Apr/2011:12:15:40  --0700]
>>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Executing  operator
>>> "ge" with param "1" against  &TX:/LEAKAGE\/ERRORS/.
>>> [11/Apr/2011:12:15:40  --0700]
>>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][9] Target  value: "0"
>>> [11/Apr/2011:12:15:40  --0700]
>>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Operator  completed
>>> in 2 usec.
>>> [11/Apr/2011:12:15:40  --0700]
>>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Rule  returned 0.
>>> [11/Apr/2011:12:15:40  --0700]
>>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][9] No match,  chained
>>> -> mode NEXT_CHAIN.
>>> [11/Apr/2011:12:15:40  --0700]
>>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Recipe:  Invoking
>>> rule b8578910;  [file
>>> "/etc/apache2/modsecurity-crs/base_rules/modsecurity_crs_60_correlation.co<http://modsecurity_crs_60_correlation.co>
>>> nf"]  [line "28"].
>>> [11/Apr/2011:12:15:40  --0700]
>>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][5] Rule  b8578910:
>>> SecRule "&TX:'/AVAILABILITY\\\\/APP_NOT_AVAIL/'" "@ge  1"
>>> "phase:5,chain,t:none,log,skipAfter:END_CORRELATION,severity:1,msg:'Correl
>>> ated  Attack Attempt Identified: (Total Score:  %{tx.anomaly_score},
>>> SQLi=%{TX.SQL_INJECTION_SCORE}, XSS=%{TX.XSS_SCORE})  Inbound Attack
>>> (%{tx.inbound_tx_msg} Inbound Anomaly Score:  %{TX.INBOUND_ANOMALY_SCORE})
>>> + Outbound Application Error (%{tx.msg} -  Outbound Anomaly  Score:
>>> %{TX.OUTBOUND_ANOMALY_SCORE})'"
>>> [11/Apr/2011:12:15:40  --0700]
>>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4]  Transformation
>>> completed in 1 usec.
>>> [11/Apr/2011:12:15:40  --0700]
>>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Executing  operator
>>> "ge" with param "1" against  &TX:/AVAILABILITY\/APP_NOT_AVAIL/.
>>> [11/Apr/2011:12:15:40  --0700]
>>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][9] Target  value: "0"
>>> [11/Apr/2011:12:15:40  --0700]
>>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Operator  completed
>>> in 1 usec.
>>> [11/Apr/2011:12:15:40  --0700]
>>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Rule  returned 0.
>>> [11/Apr/2011:12:15:40  --0700]
>>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][9] No match,  chained
>>> -> mode NEXT_CHAIN.
>>> [11/Apr/2011:12:15:40  --0700]
>>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Recipe:  Invoking
>>> rule b8574618;  [file
>>> "/etc/apache2/modsecurity-crs/base_rules/modsecurity_crs_60_correlation.co<http://modsecurity_crs_60_correlation.co>
>>> nf"]  [line "32"].
>>> [11/Apr/2011:12:15:40  --0700]
>>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][5] Rule  b8574618:
>>> SecRule "TX:INBOUND_ANOMALY_SCORE" "@gt  0"
>>> "phase:5,chain,t:none,log,noauditlog,skipAfter:END_CORRELATION,msg:'Inboun
>>> d  Anomaly Score (Total Inbound Score:  %{TX.INBOUND_ANOMALY_SCORE},
>>> SQLi=%{TX.SQL_INJECTION_SCORE},  XSS=%{TX.XSS_SCORE}):
>>> %{tx.inbound_tx_msg}'"
>>> [11/Apr/2011:12:15:40  --0700]
>>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Rule  returned 0.
>>> [11/Apr/2011:12:15:40  --0700]
>>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][9] No match,  chained
>>> -> mode NEXT_CHAIN.
>>> [11/Apr/2011:12:15:40  --0700]
>>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Recipe:  Invoking
>>> rule b8598b18;  [file
>>> "/etc/apache2/modsecurity-crs/base_rules/modsecurity_crs_60_correlation.co<http://modsecurity_crs_60_correlation.co>
>>> nf"]  [line "36"].
>>> [11/Apr/2011:12:15:40  --0700]
>>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][5] Rule  b8598b18:
>>> SecRule "TX:INBOUND_ANOMALY_SCORE"  "@ge
>>> %{tx.inbound_anomaly_score_level}"
>>> "phase:5,t:none,log,noauditlog,pass,msg:'Inbound  Anomaly Score Exceeded
>>> (Total Inbound Score:  %{TX.INBOUND_ANOMALY_SCORE},
>>> SQLi=%{TX.SQL_INJECTION_SCORE},  XSS=%{TX.XSS_SCORE}):
>>> %{tx.inbound_tx_msg}'"
>>> [11/Apr/2011:12:15:40  --0700]
>>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Rule  returned 0.
>>> [11/Apr/2011:12:15:40  --0700]
>>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][9] No match,  not
>>> chained -> mode NEXT_RULE.
>>> [11/Apr/2011:12:15:40  --0700]
>>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Recipe:  Invoking
>>> rule b8585558;  [file
>>> "/etc/apache2/modsecurity-crs/base_rules/modsecurity_crs_60_correlation.co<http://modsecurity_crs_60_correlation.co>
>>> nf"]  [line "39"].
>>> [11/Apr/2011:12:15:40  --0700]
>>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][5] Rule  b8585558:
>>> SecRule "TX:OUTBOUND_ANOMALY_SCORE"  "@ge
>>> %{tx.outbound_anomaly_score_level}"
>>> "phase:5,t:none,log,noauditlog,pass,msg:'Outbound  Anomaly Score Exceeded
>>> (score %{TX.OUTBOUND_ANOMALY_SCORE}):  %{tx.msg}'"
>>> [11/Apr/2011:12:15:40  --0700]
>>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Rule  returned 0.
>>> [11/Apr/2011:12:15:40  --0700]
>>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][9] No match,  not
>>> chained -> mode NEXT_RULE.
>>> [11/Apr/2011:12:15:40  --0700]
>>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Audit log:  Not
>>> configured to run for this  request.
>>>
>>>
>>>
>>> --------------------------------------------------------------------------
>>> ----
>>> Forrester  Wave Report - Recovery time is now measured in hours and minutes
>>> not  days. Key insights are discussed in the 2010 Forrester Wave Report  as
>>> part of an in-depth evaluation of disaster recovery service  providers.
>>> Forrester found the best-in-class provider in terms of  services and
>>> vision.
>>> Read this report now!   <http://p.sf.net/sfu/ibm-webcastpromo> http://p.sf.net/sfu/ibm-webcastpromo
>>> _______________________________________________
>>> mod-security-developers  mailing list
>>> <mailto:mod...@li...> mod...@li...<mailto:mod...@li...>
>>> <https://lists.sourceforge.net/lists/listinfo/mod-security-developers> https://lists.sourceforge.net/lists/listinfo/mod-security-developers
>>> ModSecurity  Services from Trustave's SpiderLabs:
>>> <https://www.trustwave.com/spiderLabs.php> https://www.trustwave.com/spiderLabs.php
>>>
>>
>>
>> This  transmission may contain information that is privileged, confidential,
>> and/or  exempt from disclosure under applicable law. If you are not the intended
>> recipient, you are hereby notified that any disclosure, copying, distribution,
>> or use of the information contained herein (including any reliance thereon) is
>> STRICTLY PROHIBITED. If you received this transmission in error, please
>> immediately contact the sender and destroy the material in its entirety, whether
>> in electronic or hard copy  format.
>>
>>
>> ------------------------------------------------------------------------------
>> Forrester  Wave Report - Recovery time is now measured in hours and minutes
>> not days.  Key insights are discussed in the 2010 Forrester Wave Report as
>> part of an  in-depth evaluation of disaster recovery service providers.
>> Forrester found  the best-in-class provider in terms of services and vision.
>> Read this report  now!  <http://p.sf.net/sfu/ibm-webcastpromo> http://p.sf.net/sfu/ibm-webcastpromo
>> _______________________________________________
>> mod-security-developers  mailing list
>> <mailto:mod...@li...> mod...@li...<mailto:mod...@li...>
>> <https://lists.sourceforge.net/lists/listinfo/mod-security-developers> https://lists.sourceforge.net/lists/listinfo/mod-security-developers
>> ModSecurity  Services from Trustave's SpiderLabs:
>> <https://www.trustwave.com/spiderLabs.php> https://www.trustwave.com/spiderLabs.php
>>
> <modsecurity_crs_10_config.conf>
> <modsecurity_crs_11_dos_protection.conf>
> ------------------------------------------------------------------------------
> Forrester Wave Report - Recovery time is now measured in hours and minutes
> not days. Key insights are discussed in the 2010 Forrester Wave Report as
> part of an in-depth evaluation of disaster recovery service providers.
> Forrester found the best-in-class provider in terms of services and vision.
> Read this report now!  <http://p.sf.net/sfu/ibm-webcastpromo> http://p.sf.net/sfu/ibm-webcastpromo
> _______________________________________________
> mod-security-developers mailing list
> <mailto:mod...@li...> mod...@li...<mailto:mod...@li...>
> <https://lists.sourceforge.net/lists/listinfo/mod-security-developers> https://lists.sourceforge.net/lists/listinfo/mod-security-developers
> ModSecurity Services from Trustave's SpiderLabs:
> <https://www.trustwave.com/spiderLabs.php> https://www.trustwave.com/spiderLabs.php

This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.


------------------------------------------------------------------------------
Forrester Wave Report - Recovery time is now measured in hours and minutes
not days. Key insights are discussed in the 2010 Forrester Wave Report as
part of an in-depth evaluation of disaster recovery service providers.
Forrester found the best-in-class provider in terms of services and vision.
Read this report now!  <http://p.sf.net/sfu/ibm-webcastpromo> http://p.sf.net/sfu/ibm-webcastpromo
_______________________________________________
mod-security-developers mailing list
<mailto:mod...@li...>mod...@li...<mailto:mod...@li...>
<https://lists.sourceforge.net/lists/listinfo/mod-security-developers>https://lists.sourceforge.net/lists/listinfo/mod-security-developers
ModSecurity Services from Trustave's SpiderLabs:
<https://www.trustwave.com/spiderLabs.php>https://www.trustwave.com/spiderLabs.php


________________________________
This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.

Re: [Mod-security-developers] CRS 2.1.2 only phase:5 is shown in the log

[Ryan B. <RBa...@tr...>]

Can you also send your other main config file?

On Apr 11, 2011, at 6:55 PM, "Oleg Gryb" <ole...@ya...> wrote:

> Ryan,
> Thank you for the quick response. Here is the information that you've requested:
>
> Apache/2.2.17 (Debian)
> modsecurity-apache_2.5.13
>
>
> The *.conf files are attached as well. I'll try CRS 2.1.3 and let you know if it
> works.
>
> Please let me know if you have a fix,
> Oleg.
>
>
>
>
>
>
> ----- Original Message ----
>> From: Ryan Barnett <RBa...@tr...>
>> To: "ol...@gr..." <ol...@gr...>;
>> "mod...@li..."
>> <mod...@li...>
>> Sent: Mon, April 11, 2011 3:28:38 PM
>> Subject: Re: [Mod-security-developers] CRS 2.1.2 only phase:5 is shown in the
>> log
>>
>> Oleg,
>>
>> What Apache and ModSecurity versions are you using?
>>
>> Can you  try and sync from SVN and try the 2.1.3 version of CRS?
>>
>> This does look  add as it is essentially skipping phases 1-4 and then
>> picking up rules in  phase:5.  Can you send your
>> modsecurity_crs_10_config.conf  file?
>>
>> -Ryan
>>
>> On 4/11/11 5:59 PM, "Oleg Gryb" <ole...@ya...>  wrote:
>>
>>> I'm trying to make dos_protection working in CRS 2.1.2 and it  seems to me
>>> that something is grossly wrong with this version. It looks  like the only
>>> rules that are executed are the ones in "phase:5",  everything else is
>>> completely ignored.
>>>
>>> I have debug level  set to 9 and only rules that are shown in the log file
>>> are those that in  phase 5 (see below). Please let me know what is wrong.
>>>
>>> The  collections and variables that are set in
>>> modsecurity_crs_10_config.conf  are not defined (e.g. IP collection and
>>> dos_counter_threshold  variable)
>>>
>>> This is from  modsecurity_crs_10_config.con:
>>> -------------------------------------------
>>> SecAction  "phase:1,t:none,nolog,pass, \
>>> setvar:'tx.dos_burst_time_slice=60', \
>>> setvar:'tx.dos_counter_threshold=1',  \
>>> setvar:'tx.dos_block_timeout=600'"
>>> ...
>>> SecAction
>>> "phase:1,t:none,pass,nolog,initcol:global=global,initcol:ip=%{remote_addr}
>>> _%{tx.ua_hash}"
>>> ...
>>>
>>> This  is from log file:
>>> ---------------------
>>> [11/Apr/2011:12:15:40  --0700]
>>> [localhost/sid#b85b0b18][rid#b8c2bba8][/][4] Initialising  transaction
>>> (txid TaNTXH8AAAEAAFC-AdsAAABJ).
>>> [11/Apr/2011:12:15:40  --0700]
>>> [localhost/sid#b85b0b18][rid#b8c2bba8][/][4] Transaction context  created
>>> (dcfg b78714e0).
>>> [11/Apr/2011:12:15:40  --0700]
>>> [localhost/sid#b85b0b18][rid#b8c2bba8][/][4] Processing  disabled,
>>> skipping (hook request_early).
>>> [11/Apr/2011:12:15:40  --0700]
>>> [localhost/sid#b85b0b18][rid#b8c2bba8][/][4] PdfProtect: Not  enabled here.
>>> [11/Apr/2011:12:15:40  --0700]
>>> [localhost/sid#b85b0b18][rid#b8c2bba8][/][4] Processing  disabled,
>>> skipping (hook request_late).
>>> [11/Apr/2011:12:15:40  --0700]
>>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4]  Hook
>>> insert_filter: Adding PDF XSS protection output filter (r  b8c2bba8).
>>> [11/Apr/2011:12:15:40  --0700]
>>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4]  Hook
>>> insert_filter: Processing disabled,  skipping.
>>> [11/Apr/2011:12:15:40  --0700]
>>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4]  Initialising
>>> logging.
>>> [11/Apr/2011:12:15:40  --0700]
>>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Starting  phase
>>> LOGGING.
>>> [11/Apr/2011:12:15:40  --0700]
>>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][9] This  phase
>>> consists of 36 rule(s).
>>> [11/Apr/2011:12:15:40  --0700]
>>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Recipe:  Invoking
>>> rule b7ba1cb0;  [file
>>> "/etc/apache2/modsecurity-crs/base_rules/modsecurity_crs_11_dos_protection
>>> .conf"]  [line "24"].
>>> [11/Apr/2011:12:15:40  --0700]
>>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][5] Rule  b7ba1cb0:
>>> SecRule "IP:DOS_BLOCK" "@eq  1"
>>> "phase:5,t:none,nolog,skipAfter:END_DOS_PROTECTION_CHECKS"
>>> [11/Apr/2011:12:15:40  --0700]
>>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Rule  returned 0.
>>> [11/Apr/2011:12:15:40  --0700]
>>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][9] No match,  not
>>> chained -> mode NEXT_RULE.
>>> [11/Apr/2011:12:15:40  --0700]
>>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Recipe:  Invoking
>>> rule b7ba2438;  [file
>>> "/etc/apache2/modsecurity-crs/base_rules/modsecurity_crs_11_dos_protection
>>> .conf"]  [line "30"].
>>> [11/Apr/2011:12:15:40  --0700]
>>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][5] Rule  b7ba2438:
>>> SecRule "REQUEST_BASENAME" "!@rx  \\.(jpe?g|png|gif|js|css|ico)$"
>>> "phase:5,t:none,log,pass,setvar:ip.dos_counter=+1,logdata:'THRESHOLD=
>>> %{tx.dos_counter_threshold};  COUNTER=%{ip.dos_counter}'"
>>> [11/Apr/2011:12:15:40  --0700]
>>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4]  Transformation
>>> completed in 1 usec.
>>> [11/Apr/2011:12:15:40  --0700]
>>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Executing  operator
>>> "!rx" with param "\\.(jpe?g|png|gif|js|css|ico)$"  against
>>> REQUEST_BASENAME.
>>> [11/Apr/2011:12:15:40  --0700]
>>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][9] Target  value: ""
>>> [11/Apr/2011:12:15:40  --0700]
>>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][6] Ignoring  regex
>>> captures since "capture" action is not  enabled.
>>> [11/Apr/2011:12:15:40  --0700]
>>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Operator  completed
>>> in 17 usec.
>>> [11/Apr/2011:12:15:40  --0700]
>>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][9] Setting  variable:
>>> ip.dos_counter=+1
>>> [11/Apr/2011:12:15:40  --0700]
>>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][3] Could not  set
>>> variable "ip.dos_counter" as the collection does not  exist.
>>> [11/Apr/2011:12:15:40  --0700]
>>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][2] Warning.  Match of
>>> "rx \\.(jpe?g|png|gif|js|css|ico)$" against "REQUEST_BASENAME"  required.
>>> [file
>>> "/etc/apache2/modsecurity-crs/base_rules/modsecurity_crs_11_dos_protection
>>> .conf"]  [line "30"] [data "THRESHOLD= ; COUNTER="]
>>> [11/Apr/2011:12:15:40  --0700]
>>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Rule  returned 1.
>>> [11/Apr/2011:12:15:40  --0700]
>>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][9] Match  -> mode
>>> NEXT_RULE.
>>> [11/Apr/2011:12:15:40  --0700]
>>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Recipe:  Invoking
>>> rule b7ba30f8;  [file
>>> "/etc/apache2/modsecurity-crs/base_rules/modsecurity_crs_11_dos_protection
>>> .conf"]  [line "37"].
>>> [11/Apr/2011:12:15:40  --0700]
>>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][5] Rule  b7ba30f8:
>>> SecRule "IP:DOS_COUNTER" "@gt  %{tx.dos_counter_threshold}"
>>> "phase:5,t:none,nolog,pass,t:none,setvar:ip.dos_burst_counter=+1,expirevar
>>> :ip.dos_burst_counter=%{tx.dos_burst_time_slice},setvar:!ip.dos_counter"
>>> [11/Apr/2011:12:15:40  --0700]
>>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Rule  returned 0.
>>> [11/Apr/2011:12:15:40  --0700]
>>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][9] No match,  not
>>> chained -> mode NEXT_RULE.
>>> [11/Apr/2011:12:15:40  --0700]
>>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Recipe:  Invoking
>>> rule b7bca648;  [file
>>> "/etc/apache2/modsecurity-crs/base_rules/modsecurity_crs_11_dos_protection
>>> .conf"]  [line "44"].
>>> [11/Apr/2011:12:15:40  --0700]
>>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][5] Rule  b7bca648:
>>> SecRule "IP:DOS_BURST_COUNTER" "@ge  1"
>>> "phase:5,t:none,log,pass,msg:'Potential Denial of Service (DoS)  Attack
>>> from %{remote_addr} - # of Request  Bursts:
>>> %{ip.dos_burst_counter}',setvar:ip.dos_block=1,expirevar:ip.dos_block=%{tx
>>> .dos_block_timeout}"
>>> [11/Apr/2011:12:15:40  --0700]
>>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Rule  returned 0.
>>> [11/Apr/2011:12:15:40  --0700]
>>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][9] No match,  not
>>> chained -> mode NEXT_RULE.
>>> [11/Apr/2011:12:15:40  --0700]
>>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Recipe:  Invoking
>>> rule b85598c8;  [file
>>> "/etc/apache2/modsecurity-crs/base_rules/modsecurity_crs_60_correlation.co
>>> nf"]  [line "21"].
>>> [11/Apr/2011:12:15:40  --0700]
>>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][5] Rule  b85598c8:
>>> SecRule "&TX:'/LEAKAGE\\\\/ERRORS/'" "@ge  1"
>>> "phase:5,chain,t:none,log,skipAfter:END_CORRELATION,severity:0,msg:'Correl
>>> ated  Successful Attack Identified: (Total Score:  %{tx.anomaly_score},
>>> SQLi=%{TX.SQL_INJECTION_SCORE}, XSS=%{TX.XSS_SCORE})  Inbound Attack
>>> (%{tx.inbound_tx_msg} - Inbound Anomaly  Score:
>>> %{TX.INBOUND_ANOMALY_SCORE}) + Outbound Data Leakage (%{tx.msg}  -
>>> Outbound Anomaly Score:  %{TX.OUTBOUND_ANOMALY_SCORE})'"
>>> [11/Apr/2011:12:15:40  --0700]
>>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4]  Transformation
>>> completed in 1 usec.
>>> [11/Apr/2011:12:15:40  --0700]
>>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Executing  operator
>>> "ge" with param "1" against  &TX:/LEAKAGE\/ERRORS/.
>>> [11/Apr/2011:12:15:40  --0700]
>>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][9] Target  value: "0"
>>> [11/Apr/2011:12:15:40  --0700]
>>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Operator  completed
>>> in 2 usec.
>>> [11/Apr/2011:12:15:40  --0700]
>>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Rule  returned 0.
>>> [11/Apr/2011:12:15:40  --0700]
>>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][9] No match,  chained
>>> -> mode NEXT_CHAIN.
>>> [11/Apr/2011:12:15:40  --0700]
>>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Recipe:  Invoking
>>> rule b8578910;  [file
>>> "/etc/apache2/modsecurity-crs/base_rules/modsecurity_crs_60_correlation.co
>>> nf"]  [line "28"].
>>> [11/Apr/2011:12:15:40  --0700]
>>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][5] Rule  b8578910:
>>> SecRule "&TX:'/AVAILABILITY\\\\/APP_NOT_AVAIL/'" "@ge  1"
>>> "phase:5,chain,t:none,log,skipAfter:END_CORRELATION,severity:1,msg:'Correl
>>> ated  Attack Attempt Identified: (Total Score:  %{tx.anomaly_score},
>>> SQLi=%{TX.SQL_INJECTION_SCORE}, XSS=%{TX.XSS_SCORE})  Inbound Attack
>>> (%{tx.inbound_tx_msg} Inbound Anomaly Score:  %{TX.INBOUND_ANOMALY_SCORE})
>>> + Outbound Application Error (%{tx.msg} -  Outbound Anomaly  Score:
>>> %{TX.OUTBOUND_ANOMALY_SCORE})'"
>>> [11/Apr/2011:12:15:40  --0700]
>>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4]  Transformation
>>> completed in 1 usec.
>>> [11/Apr/2011:12:15:40  --0700]
>>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Executing  operator
>>> "ge" with param "1" against  &TX:/AVAILABILITY\/APP_NOT_AVAIL/.
>>> [11/Apr/2011:12:15:40  --0700]
>>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][9] Target  value: "0"
>>> [11/Apr/2011:12:15:40  --0700]
>>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Operator  completed
>>> in 1 usec.
>>> [11/Apr/2011:12:15:40  --0700]
>>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Rule  returned 0.
>>> [11/Apr/2011:12:15:40  --0700]
>>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][9] No match,  chained
>>> -> mode NEXT_CHAIN.
>>> [11/Apr/2011:12:15:40  --0700]
>>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Recipe:  Invoking
>>> rule b8574618;  [file
>>> "/etc/apache2/modsecurity-crs/base_rules/modsecurity_crs_60_correlation.co
>>> nf"]  [line "32"].
>>> [11/Apr/2011:12:15:40  --0700]
>>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][5] Rule  b8574618:
>>> SecRule "TX:INBOUND_ANOMALY_SCORE" "@gt  0"
>>> "phase:5,chain,t:none,log,noauditlog,skipAfter:END_CORRELATION,msg:'Inboun
>>> d  Anomaly Score (Total Inbound Score:  %{TX.INBOUND_ANOMALY_SCORE},
>>> SQLi=%{TX.SQL_INJECTION_SCORE},  XSS=%{TX.XSS_SCORE}):
>>> %{tx.inbound_tx_msg}'"
>>> [11/Apr/2011:12:15:40  --0700]
>>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Rule  returned 0.
>>> [11/Apr/2011:12:15:40  --0700]
>>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][9] No match,  chained
>>> -> mode NEXT_CHAIN.
>>> [11/Apr/2011:12:15:40  --0700]
>>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Recipe:  Invoking
>>> rule b8598b18;  [file
>>> "/etc/apache2/modsecurity-crs/base_rules/modsecurity_crs_60_correlation.co
>>> nf"]  [line "36"].
>>> [11/Apr/2011:12:15:40  --0700]
>>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][5] Rule  b8598b18:
>>> SecRule "TX:INBOUND_ANOMALY_SCORE"  "@ge
>>> %{tx.inbound_anomaly_score_level}"
>>> "phase:5,t:none,log,noauditlog,pass,msg:'Inbound  Anomaly Score Exceeded
>>> (Total Inbound Score:  %{TX.INBOUND_ANOMALY_SCORE},
>>> SQLi=%{TX.SQL_INJECTION_SCORE},  XSS=%{TX.XSS_SCORE}):
>>> %{tx.inbound_tx_msg}'"
>>> [11/Apr/2011:12:15:40  --0700]
>>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Rule  returned 0.
>>> [11/Apr/2011:12:15:40  --0700]
>>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][9] No match,  not
>>> chained -> mode NEXT_RULE.
>>> [11/Apr/2011:12:15:40  --0700]
>>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Recipe:  Invoking
>>> rule b8585558;  [file
>>> "/etc/apache2/modsecurity-crs/base_rules/modsecurity_crs_60_correlation.co
>>> nf"]  [line "39"].
>>> [11/Apr/2011:12:15:40  --0700]
>>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][5] Rule  b8585558:
>>> SecRule "TX:OUTBOUND_ANOMALY_SCORE"  "@ge
>>> %{tx.outbound_anomaly_score_level}"
>>> "phase:5,t:none,log,noauditlog,pass,msg:'Outbound  Anomaly Score Exceeded
>>> (score %{TX.OUTBOUND_ANOMALY_SCORE}):  %{tx.msg}'"
>>> [11/Apr/2011:12:15:40  --0700]
>>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Rule  returned 0.
>>> [11/Apr/2011:12:15:40  --0700]
>>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][9] No match,  not
>>> chained -> mode NEXT_RULE.
>>> [11/Apr/2011:12:15:40  --0700]
>>> [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Audit log:  Not
>>> configured to run for this  request.
>>>
>>>
>>>
>>> --------------------------------------------------------------------------
>>> ----
>>> Forrester  Wave Report - Recovery time is now measured in hours and minutes
>>> not  days. Key insights are discussed in the 2010 Forrester Wave Report  as
>>> part of an in-depth evaluation of disaster recovery service  providers.
>>> Forrester found the best-in-class provider in terms of  services and
>>> vision.
>>> Read this report now!   http://p.sf.net/sfu/ibm-webcastpromo
>>> _______________________________________________
>>> mod-security-developers  mailing list
>>> mod...@li...
>>> https://lists.sourceforge.net/lists/listinfo/mod-security-developers
>>> ModSecurity  Services from Trustave's SpiderLabs:
>>> https://www.trustwave.com/spiderLabs.php
>>>
>>
>>
>> This  transmission may contain information that is privileged, confidential,
>> and/or  exempt from disclosure under applicable law. If you are not the intended
>> recipient, you are hereby notified that any disclosure, copying, distribution,
>> or use of the information contained herein (including any reliance thereon) is
>> STRICTLY PROHIBITED. If you received this transmission in error, please
>> immediately contact the sender and destroy the material in its entirety, whether
>> in electronic or hard copy  format.
>>
>>
>> ------------------------------------------------------------------------------
>> Forrester  Wave Report - Recovery time is now measured in hours and minutes
>> not days.  Key insights are discussed in the 2010 Forrester Wave Report as
>> part of an  in-depth evaluation of disaster recovery service providers.
>> Forrester found  the best-in-class provider in terms of services and vision.
>> Read this report  now!  http://p.sf.net/sfu/ibm-webcastpromo
>> _______________________________________________
>> mod-security-developers  mailing list
>> mod...@li...
>> https://lists.sourceforge.net/lists/listinfo/mod-security-developers
>> ModSecurity  Services from Trustave's SpiderLabs:
>> https://www.trustwave.com/spiderLabs.php
>>
> <modsecurity_crs_10_config.conf>
> <modsecurity_crs_11_dos_protection.conf>
> ------------------------------------------------------------------------------
> Forrester Wave Report - Recovery time is now measured in hours and minutes
> not days. Key insights are discussed in the 2010 Forrester Wave Report as
> part of an in-depth evaluation of disaster recovery service providers.
> Forrester found the best-in-class provider in terms of services and vision.
> Read this report now!  http://p.sf.net/sfu/ibm-webcastpromo
> _______________________________________________
> mod-security-developers mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-developers
> ModSecurity Services from Trustave's SpiderLabs:
> https://www.trustwave.com/spiderLabs.php

This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.

Re: [Mod-security-developers] CRS 2.1.2 only phase:5 is shown in the log

[Oleg G. <ole...@ya...>]

Ryan,
Thank you for the quick response. Here is the information that you've requested:

Apache/2.2.17 (Debian)
modsecurity-apache_2.5.13


The *.conf files are attached as well. I'll try CRS 2.1.3 and let you know if it 
works.

Please let me know if you have a fix,
Oleg.






----- Original Message ----
> From: Ryan Barnett <RBa...@tr...>
> To: "ol...@gr..." <ol...@gr...>; 
>"mod...@li..." 
><mod...@li...>
> Sent: Mon, April 11, 2011 3:28:38 PM
> Subject: Re: [Mod-security-developers] CRS 2.1.2 only phase:5 is shown in the 
>log
> 
> Oleg,
> 
> What Apache and ModSecurity versions are you using?
> 
> Can you  try and sync from SVN and try the 2.1.3 version of CRS?
> 
> This does look  add as it is essentially skipping phases 1-4 and then
> picking up rules in  phase:5.  Can you send your
> modsecurity_crs_10_config.conf  file?
> 
> -Ryan
> 
> On 4/11/11 5:59 PM, "Oleg Gryb" <ole...@ya...>  wrote:
> 
> >I'm trying to make dos_protection working in CRS 2.1.2 and it  seems to me
> >that something is grossly wrong with this version. It looks  like the only
> >rules that are executed are the ones in "phase:5",  everything else is
> >completely ignored.
> >
> >I have debug level  set to 9 and only rules that are shown in the log file
> >are those that in  phase 5 (see below). Please let me know what is wrong.
> >
> >The  collections and variables that are set in
> >modsecurity_crs_10_config.conf  are not defined (e.g. IP collection and
> >dos_counter_threshold  variable)
> >
> >This is from  modsecurity_crs_10_config.con:
> >-------------------------------------------
> >SecAction  "phase:1,t:none,nolog,pass, \
> >setvar:'tx.dos_burst_time_slice=60',  \
> >setvar:'tx.dos_counter_threshold=1',  \
> >setvar:'tx.dos_block_timeout=600'"
> >...
> >SecAction
> >"phase:1,t:none,pass,nolog,initcol:global=global,initcol:ip=%{remote_addr}
> >_%{tx.ua_hash}"
> >...
> >
> >This  is from log file:
> >---------------------
> >[11/Apr/2011:12:15:40  --0700]
> >[localhost/sid#b85b0b18][rid#b8c2bba8][/][4] Initialising  transaction
> >(txid TaNTXH8AAAEAAFC-AdsAAABJ).
> >[11/Apr/2011:12:15:40  --0700]
> >[localhost/sid#b85b0b18][rid#b8c2bba8][/][4] Transaction context  created
> >(dcfg b78714e0).
> >[11/Apr/2011:12:15:40  --0700]
> >[localhost/sid#b85b0b18][rid#b8c2bba8][/][4] Processing  disabled,
> >skipping (hook request_early).
> >[11/Apr/2011:12:15:40  --0700]
> >[localhost/sid#b85b0b18][rid#b8c2bba8][/][4] PdfProtect: Not  enabled here.
> >[11/Apr/2011:12:15:40  --0700]
> >[localhost/sid#b85b0b18][rid#b8c2bba8][/][4] Processing  disabled,
> >skipping (hook request_late).
> >[11/Apr/2011:12:15:40  --0700]
> >[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4]  Hook
> >insert_filter: Adding PDF XSS protection output filter (r  b8c2bba8).
> >[11/Apr/2011:12:15:40  --0700]
> >[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4]  Hook
> >insert_filter: Processing disabled,  skipping.
> >[11/Apr/2011:12:15:40  --0700]
> >[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4]  Initialising
> >logging.
> >[11/Apr/2011:12:15:40  --0700]
> >[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Starting  phase
> >LOGGING.
> >[11/Apr/2011:12:15:40  --0700]
> >[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][9] This  phase
> >consists of 36 rule(s).
> >[11/Apr/2011:12:15:40  --0700]
> >[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Recipe:  Invoking
> >rule b7ba1cb0;  [file
> >"/etc/apache2/modsecurity-crs/base_rules/modsecurity_crs_11_dos_protection
> >.conf"]  [line "24"].
> >[11/Apr/2011:12:15:40  --0700]
> >[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][5] Rule  b7ba1cb0:
> >SecRule "IP:DOS_BLOCK" "@eq  1"
> >"phase:5,t:none,nolog,skipAfter:END_DOS_PROTECTION_CHECKS"
> >[11/Apr/2011:12:15:40  --0700]
> >[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Rule  returned 0.
> >[11/Apr/2011:12:15:40  --0700]
> >[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][9] No match,  not
> >chained -> mode NEXT_RULE.
> >[11/Apr/2011:12:15:40  --0700]
> >[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Recipe:  Invoking
> >rule b7ba2438;  [file
> >"/etc/apache2/modsecurity-crs/base_rules/modsecurity_crs_11_dos_protection
> >.conf"]  [line "30"].
> >[11/Apr/2011:12:15:40  --0700]
> >[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][5] Rule  b7ba2438:
> >SecRule "REQUEST_BASENAME" "!@rx  \\.(jpe?g|png|gif|js|css|ico)$"
> >"phase:5,t:none,log,pass,setvar:ip.dos_counter=+1,logdata:'THRESHOLD=
> >%{tx.dos_counter_threshold};  COUNTER=%{ip.dos_counter}'"
> >[11/Apr/2011:12:15:40  --0700]
> >[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4]  Transformation
> >completed in 1 usec.
> >[11/Apr/2011:12:15:40  --0700]
> >[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Executing  operator
> >"!rx" with param "\\.(jpe?g|png|gif|js|css|ico)$"  against
> >REQUEST_BASENAME.
> >[11/Apr/2011:12:15:40  --0700]
> >[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][9] Target  value: ""
> >[11/Apr/2011:12:15:40  --0700]
> >[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][6] Ignoring  regex
> >captures since "capture" action is not  enabled.
> >[11/Apr/2011:12:15:40  --0700]
> >[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Operator  completed
> >in 17 usec.
> >[11/Apr/2011:12:15:40  --0700]
> >[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][9] Setting  variable:
> >ip.dos_counter=+1
> >[11/Apr/2011:12:15:40  --0700]
> >[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][3] Could not  set
> >variable "ip.dos_counter" as the collection does not  exist.
> >[11/Apr/2011:12:15:40  --0700]
> >[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][2] Warning.  Match of
> >"rx \\.(jpe?g|png|gif|js|css|ico)$" against "REQUEST_BASENAME"  required.
> >[file
> >"/etc/apache2/modsecurity-crs/base_rules/modsecurity_crs_11_dos_protection
> >.conf"]  [line "30"] [data "THRESHOLD= ; COUNTER="]
> >[11/Apr/2011:12:15:40  --0700]
> >[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Rule  returned 1.
> >[11/Apr/2011:12:15:40  --0700]
> >[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][9] Match  -> mode
> >NEXT_RULE.
> >[11/Apr/2011:12:15:40  --0700]
> >[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Recipe:  Invoking
> >rule b7ba30f8;  [file
> >"/etc/apache2/modsecurity-crs/base_rules/modsecurity_crs_11_dos_protection
> >.conf"]  [line "37"].
> >[11/Apr/2011:12:15:40  --0700]
> >[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][5] Rule  b7ba30f8:
> >SecRule "IP:DOS_COUNTER" "@gt  %{tx.dos_counter_threshold}"
> >"phase:5,t:none,nolog,pass,t:none,setvar:ip.dos_burst_counter=+1,expirevar
> >:ip.dos_burst_counter=%{tx.dos_burst_time_slice},setvar:!ip.dos_counter"
> >[11/Apr/2011:12:15:40  --0700]
> >[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Rule  returned 0.
> >[11/Apr/2011:12:15:40  --0700]
> >[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][9] No match,  not
> >chained -> mode NEXT_RULE.
> >[11/Apr/2011:12:15:40  --0700]
> >[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Recipe:  Invoking
> >rule b7bca648;  [file
> >"/etc/apache2/modsecurity-crs/base_rules/modsecurity_crs_11_dos_protection
> >.conf"]  [line "44"].
> >[11/Apr/2011:12:15:40  --0700]
> >[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][5] Rule  b7bca648:
> >SecRule "IP:DOS_BURST_COUNTER" "@ge  1"
> >"phase:5,t:none,log,pass,msg:'Potential Denial of Service (DoS)  Attack
> >from %{remote_addr} - # of Request  Bursts:
> >%{ip.dos_burst_counter}',setvar:ip.dos_block=1,expirevar:ip.dos_block=%{tx
> >.dos_block_timeout}"
> >[11/Apr/2011:12:15:40  --0700]
> >[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Rule  returned 0.
> >[11/Apr/2011:12:15:40  --0700]
> >[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][9] No match,  not
> >chained -> mode NEXT_RULE.
> >[11/Apr/2011:12:15:40  --0700]
> >[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Recipe:  Invoking
> >rule b85598c8;  [file
> >"/etc/apache2/modsecurity-crs/base_rules/modsecurity_crs_60_correlation.co
> >nf"]  [line "21"].
> >[11/Apr/2011:12:15:40  --0700]
> >[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][5] Rule  b85598c8:
> >SecRule "&TX:'/LEAKAGE\\\\/ERRORS/'" "@ge  1"
> >"phase:5,chain,t:none,log,skipAfter:END_CORRELATION,severity:0,msg:'Correl
> >ated  Successful Attack Identified: (Total Score:  %{tx.anomaly_score},
> >SQLi=%{TX.SQL_INJECTION_SCORE}, XSS=%{TX.XSS_SCORE})  Inbound Attack
> >(%{tx.inbound_tx_msg} - Inbound Anomaly  Score:
> >%{TX.INBOUND_ANOMALY_SCORE}) + Outbound Data Leakage (%{tx.msg}  -
> >Outbound Anomaly Score:  %{TX.OUTBOUND_ANOMALY_SCORE})'"
> >[11/Apr/2011:12:15:40  --0700]
> >[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4]  Transformation
> >completed in 1 usec.
> >[11/Apr/2011:12:15:40  --0700]
> >[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Executing  operator
> >"ge" with param "1" against  &TX:/LEAKAGE\/ERRORS/.
> >[11/Apr/2011:12:15:40  --0700]
> >[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][9] Target  value: "0"
> >[11/Apr/2011:12:15:40  --0700]
> >[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Operator  completed
> >in 2 usec.
> >[11/Apr/2011:12:15:40  --0700]
> >[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Rule  returned 0.
> >[11/Apr/2011:12:15:40  --0700]
> >[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][9] No match,  chained
> >-> mode NEXT_CHAIN.
> >[11/Apr/2011:12:15:40  --0700]
> >[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Recipe:  Invoking
> >rule b8578910;  [file
> >"/etc/apache2/modsecurity-crs/base_rules/modsecurity_crs_60_correlation.co
> >nf"]  [line "28"].
> >[11/Apr/2011:12:15:40  --0700]
> >[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][5] Rule  b8578910:
> >SecRule "&TX:'/AVAILABILITY\\\\/APP_NOT_AVAIL/'" "@ge  1"
> >"phase:5,chain,t:none,log,skipAfter:END_CORRELATION,severity:1,msg:'Correl
> >ated  Attack Attempt Identified: (Total Score:  %{tx.anomaly_score},
> >SQLi=%{TX.SQL_INJECTION_SCORE}, XSS=%{TX.XSS_SCORE})  Inbound Attack
> >(%{tx.inbound_tx_msg} Inbound Anomaly Score:  %{TX.INBOUND_ANOMALY_SCORE})
> >+ Outbound Application Error (%{tx.msg} -  Outbound Anomaly  Score:
> >%{TX.OUTBOUND_ANOMALY_SCORE})'"
> >[11/Apr/2011:12:15:40  --0700]
> >[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4]  Transformation
> >completed in 1 usec.
> >[11/Apr/2011:12:15:40  --0700]
> >[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Executing  operator
> >"ge" with param "1" against  &TX:/AVAILABILITY\/APP_NOT_AVAIL/.
> >[11/Apr/2011:12:15:40  --0700]
> >[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][9] Target  value: "0"
> >[11/Apr/2011:12:15:40  --0700]
> >[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Operator  completed
> >in 1 usec.
> >[11/Apr/2011:12:15:40  --0700]
> >[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Rule  returned 0.
> >[11/Apr/2011:12:15:40  --0700]
> >[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][9] No match,  chained
> >-> mode NEXT_CHAIN.
> >[11/Apr/2011:12:15:40  --0700]
> >[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Recipe:  Invoking
> >rule b8574618;  [file
> >"/etc/apache2/modsecurity-crs/base_rules/modsecurity_crs_60_correlation.co
> >nf"]  [line "32"].
> >[11/Apr/2011:12:15:40  --0700]
> >[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][5] Rule  b8574618:
> >SecRule "TX:INBOUND_ANOMALY_SCORE" "@gt  0"
> >"phase:5,chain,t:none,log,noauditlog,skipAfter:END_CORRELATION,msg:'Inboun
> >d  Anomaly Score (Total Inbound Score:  %{TX.INBOUND_ANOMALY_SCORE},
> >SQLi=%{TX.SQL_INJECTION_SCORE},  XSS=%{TX.XSS_SCORE}):
> >%{tx.inbound_tx_msg}'"
> >[11/Apr/2011:12:15:40  --0700]
> >[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Rule  returned 0.
> >[11/Apr/2011:12:15:40  --0700]
> >[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][9] No match,  chained
> >-> mode NEXT_CHAIN.
> >[11/Apr/2011:12:15:40  --0700]
> >[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Recipe:  Invoking
> >rule b8598b18;  [file
> >"/etc/apache2/modsecurity-crs/base_rules/modsecurity_crs_60_correlation.co
> >nf"]  [line "36"].
> >[11/Apr/2011:12:15:40  --0700]
> >[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][5] Rule  b8598b18:
> >SecRule "TX:INBOUND_ANOMALY_SCORE"  "@ge
> >%{tx.inbound_anomaly_score_level}"
> >"phase:5,t:none,log,noauditlog,pass,msg:'Inbound  Anomaly Score Exceeded
> >(Total Inbound Score:  %{TX.INBOUND_ANOMALY_SCORE},
> >SQLi=%{TX.SQL_INJECTION_SCORE},  XSS=%{TX.XSS_SCORE}):
> >%{tx.inbound_tx_msg}'"
> >[11/Apr/2011:12:15:40  --0700]
> >[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Rule  returned 0.
> >[11/Apr/2011:12:15:40  --0700]
> >[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][9] No match,  not
> >chained -> mode NEXT_RULE.
> >[11/Apr/2011:12:15:40  --0700]
> >[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Recipe:  Invoking
> >rule b8585558;  [file
> >"/etc/apache2/modsecurity-crs/base_rules/modsecurity_crs_60_correlation.co
> >nf"]  [line "39"].
> >[11/Apr/2011:12:15:40  --0700]
> >[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][5] Rule  b8585558:
> >SecRule "TX:OUTBOUND_ANOMALY_SCORE"  "@ge
> >%{tx.outbound_anomaly_score_level}"
> >"phase:5,t:none,log,noauditlog,pass,msg:'Outbound  Anomaly Score Exceeded
> >(score %{TX.OUTBOUND_ANOMALY_SCORE}):  %{tx.msg}'"
> >[11/Apr/2011:12:15:40  --0700]
> >[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Rule  returned 0.
> >[11/Apr/2011:12:15:40  --0700]
> >[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][9] No match,  not
> >chained -> mode NEXT_RULE.
> >[11/Apr/2011:12:15:40  --0700]
> >[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Audit log:  Not
> >configured to run for this  request.
> >
> >
> >
> >--------------------------------------------------------------------------
> >----
> >Forrester  Wave Report - Recovery time is now measured in hours and minutes
> >not  days. Key insights are discussed in the 2010 Forrester Wave Report  as
> >part of an in-depth evaluation of disaster recovery service  providers.
> >Forrester found the best-in-class provider in terms of  services and
> >vision.
> >Read this report now!   http://p.sf.net/sfu/ibm-webcastpromo
> >_______________________________________________
> >mod-security-developers  mailing list
> >mod...@li...
> >https://lists.sourceforge.net/lists/listinfo/mod-security-developers
> >ModSecurity  Services from Trustave's SpiderLabs:
> >https://www.trustwave.com/spiderLabs.php
> >
> 
> 
> This  transmission may contain information that is privileged, confidential, 
>and/or  exempt from disclosure under applicable law. If you are not the intended  
>recipient, you are hereby notified that any disclosure, copying, distribution,  
>or use of the information contained herein (including any reliance thereon) is  
>STRICTLY PROHIBITED. If you received this transmission in error, please  
>immediately contact the sender and destroy the material in its entirety, whether  
>in electronic or hard copy  format.
> 
> 
> ------------------------------------------------------------------------------
> Forrester  Wave Report - Recovery time is now measured in hours and minutes
> not days.  Key insights are discussed in the 2010 Forrester Wave Report as
> part of an  in-depth evaluation of disaster recovery service providers.
> Forrester found  the best-in-class provider in terms of services and vision.
> Read this report  now!  http://p.sf.net/sfu/ibm-webcastpromo
> _______________________________________________
> mod-security-developers  mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-developers
> ModSecurity  Services from Trustave's SpiderLabs:
> https://www.trustwave.com/spiderLabs.php
> 

Re: [Mod-security-developers] CRS 2.1.2 only phase:5 is shown in the log

[Ryan B. <RBa...@tr...>]

Oleg,

What Apache and ModSecurity versions are you using?

Can you try and sync from SVN and try the 2.1.3 version of CRS?

This does look add as it is essentially skipping phases 1-4 and then
picking up rules in phase:5.  Can you send your
modsecurity_crs_10_config.conf file?

-Ryan

On 4/11/11 5:59 PM, "Oleg Gryb" <ole...@ya...> wrote:

>I'm trying to make dos_protection working in CRS 2.1.2 and it seems to me
>that something is grossly wrong with this version. It looks like the only
>rules that are executed are the ones in "phase:5", everything else is
>completely ignored.
>
>I have debug level set to 9 and only rules that are shown in the log file
>are those that in phase 5 (see below). Please let me know what is wrong.
>
>The collections and variables that are set in
>modsecurity_crs_10_config.conf are not defined (e.g. IP collection and
>dos_counter_threshold variable)
>
>This is from modsecurity_crs_10_config.con:
>-------------------------------------------
>SecAction "phase:1,t:none,nolog,pass, \
>setvar:'tx.dos_burst_time_slice=60', \
>setvar:'tx.dos_counter_threshold=1', \
>setvar:'tx.dos_block_timeout=600'"
>...
>SecAction
>"phase:1,t:none,pass,nolog,initcol:global=global,initcol:ip=%{remote_addr}
>_%{tx.ua_hash}"
>...
>
>This is from log file:
>---------------------
>[11/Apr/2011:12:15:40 --0700]
>[localhost/sid#b85b0b18][rid#b8c2bba8][/][4] Initialising transaction
>(txid TaNTXH8AAAEAAFC-AdsAAABJ).
>[11/Apr/2011:12:15:40 --0700]
>[localhost/sid#b85b0b18][rid#b8c2bba8][/][4] Transaction context created
>(dcfg b78714e0).
>[11/Apr/2011:12:15:40 --0700]
>[localhost/sid#b85b0b18][rid#b8c2bba8][/][4] Processing disabled,
>skipping (hook request_early).
>[11/Apr/2011:12:15:40 --0700]
>[localhost/sid#b85b0b18][rid#b8c2bba8][/][4] PdfProtect: Not enabled here.
>[11/Apr/2011:12:15:40 --0700]
>[localhost/sid#b85b0b18][rid#b8c2bba8][/][4] Processing disabled,
>skipping (hook request_late).
>[11/Apr/2011:12:15:40 --0700]
>[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Hook
>insert_filter: Adding PDF XSS protection output filter (r b8c2bba8).
>[11/Apr/2011:12:15:40 --0700]
>[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Hook
>insert_filter: Processing disabled, skipping.
>[11/Apr/2011:12:15:40 --0700]
>[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Initialising
>logging.
>[11/Apr/2011:12:15:40 --0700]
>[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Starting phase
>LOGGING.
>[11/Apr/2011:12:15:40 --0700]
>[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][9] This phase
>consists of 36 rule(s).
>[11/Apr/2011:12:15:40 --0700]
>[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Recipe: Invoking
>rule b7ba1cb0; [file
>"/etc/apache2/modsecurity-crs/base_rules/modsecurity_crs_11_dos_protection
>.conf"] [line "24"].
>[11/Apr/2011:12:15:40 --0700]
>[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][5] Rule b7ba1cb0:
>SecRule "IP:DOS_BLOCK" "@eq 1"
>"phase:5,t:none,nolog,skipAfter:END_DOS_PROTECTION_CHECKS"
>[11/Apr/2011:12:15:40 --0700]
>[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Rule returned 0.
>[11/Apr/2011:12:15:40 --0700]
>[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][9] No match, not
>chained -> mode NEXT_RULE.
>[11/Apr/2011:12:15:40 --0700]
>[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Recipe: Invoking
>rule b7ba2438; [file
>"/etc/apache2/modsecurity-crs/base_rules/modsecurity_crs_11_dos_protection
>.conf"] [line "30"].
>[11/Apr/2011:12:15:40 --0700]
>[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][5] Rule b7ba2438:
>SecRule "REQUEST_BASENAME" "!@rx \\.(jpe?g|png|gif|js|css|ico)$"
>"phase:5,t:none,log,pass,setvar:ip.dos_counter=+1,logdata:'THRESHOLD=
>%{tx.dos_counter_threshold}; COUNTER=%{ip.dos_counter}'"
>[11/Apr/2011:12:15:40 --0700]
>[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Transformation
>completed in 1 usec.
>[11/Apr/2011:12:15:40 --0700]
>[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Executing operator
>"!rx" with param "\\.(jpe?g|png|gif|js|css|ico)$" against
>REQUEST_BASENAME.
>[11/Apr/2011:12:15:40 --0700]
>[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][9] Target value: ""
>[11/Apr/2011:12:15:40 --0700]
>[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][6] Ignoring regex
>captures since "capture" action is not enabled.
>[11/Apr/2011:12:15:40 --0700]
>[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Operator completed
>in 17 usec.
>[11/Apr/2011:12:15:40 --0700]
>[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][9] Setting variable:
>ip.dos_counter=+1
>[11/Apr/2011:12:15:40 --0700]
>[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][3] Could not set
>variable "ip.dos_counter" as the collection does not exist.
>[11/Apr/2011:12:15:40 --0700]
>[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][2] Warning. Match of
>"rx \\.(jpe?g|png|gif|js|css|ico)$" against "REQUEST_BASENAME" required.
>[file
>"/etc/apache2/modsecurity-crs/base_rules/modsecurity_crs_11_dos_protection
>.conf"] [line "30"] [data "THRESHOLD= ; COUNTER="]
>[11/Apr/2011:12:15:40 --0700]
>[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Rule returned 1.
>[11/Apr/2011:12:15:40 --0700]
>[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][9] Match -> mode
>NEXT_RULE.
>[11/Apr/2011:12:15:40 --0700]
>[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Recipe: Invoking
>rule b7ba30f8; [file
>"/etc/apache2/modsecurity-crs/base_rules/modsecurity_crs_11_dos_protection
>.conf"] [line "37"].
>[11/Apr/2011:12:15:40 --0700]
>[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][5] Rule b7ba30f8:
>SecRule "IP:DOS_COUNTER" "@gt %{tx.dos_counter_threshold}"
>"phase:5,t:none,nolog,pass,t:none,setvar:ip.dos_burst_counter=+1,expirevar
>:ip.dos_burst_counter=%{tx.dos_burst_time_slice},setvar:!ip.dos_counter"
>[11/Apr/2011:12:15:40 --0700]
>[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Rule returned 0.
>[11/Apr/2011:12:15:40 --0700]
>[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][9] No match, not
>chained -> mode NEXT_RULE.
>[11/Apr/2011:12:15:40 --0700]
>[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Recipe: Invoking
>rule b7bca648; [file
>"/etc/apache2/modsecurity-crs/base_rules/modsecurity_crs_11_dos_protection
>.conf"] [line "44"].
>[11/Apr/2011:12:15:40 --0700]
>[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][5] Rule b7bca648:
>SecRule "IP:DOS_BURST_COUNTER" "@ge 1"
>"phase:5,t:none,log,pass,msg:'Potential Denial of Service (DoS) Attack
>from %{remote_addr} - # of Request Bursts:
>%{ip.dos_burst_counter}',setvar:ip.dos_block=1,expirevar:ip.dos_block=%{tx
>.dos_block_timeout}"
>[11/Apr/2011:12:15:40 --0700]
>[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Rule returned 0.
>[11/Apr/2011:12:15:40 --0700]
>[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][9] No match, not
>chained -> mode NEXT_RULE.
>[11/Apr/2011:12:15:40 --0700]
>[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Recipe: Invoking
>rule b85598c8; [file
>"/etc/apache2/modsecurity-crs/base_rules/modsecurity_crs_60_correlation.co
>nf"] [line "21"].
>[11/Apr/2011:12:15:40 --0700]
>[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][5] Rule b85598c8:
>SecRule "&TX:'/LEAKAGE\\\\/ERRORS/'" "@ge 1"
>"phase:5,chain,t:none,log,skipAfter:END_CORRELATION,severity:0,msg:'Correl
>ated Successful Attack Identified: (Total Score: %{tx.anomaly_score},
>SQLi=%{TX.SQL_INJECTION_SCORE}, XSS=%{TX.XSS_SCORE}) Inbound Attack
>(%{tx.inbound_tx_msg} - Inbound Anomaly Score:
>%{TX.INBOUND_ANOMALY_SCORE}) + Outbound Data Leakage (%{tx.msg} -
>Outbound Anomaly Score: %{TX.OUTBOUND_ANOMALY_SCORE})'"
>[11/Apr/2011:12:15:40 --0700]
>[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Transformation
>completed in 1 usec.
>[11/Apr/2011:12:15:40 --0700]
>[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Executing operator
>"ge" with param "1" against &TX:/LEAKAGE\/ERRORS/.
>[11/Apr/2011:12:15:40 --0700]
>[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][9] Target value: "0"
>[11/Apr/2011:12:15:40 --0700]
>[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Operator completed
>in 2 usec.
>[11/Apr/2011:12:15:40 --0700]
>[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Rule returned 0.
>[11/Apr/2011:12:15:40 --0700]
>[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][9] No match, chained
>-> mode NEXT_CHAIN.
>[11/Apr/2011:12:15:40 --0700]
>[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Recipe: Invoking
>rule b8578910; [file
>"/etc/apache2/modsecurity-crs/base_rules/modsecurity_crs_60_correlation.co
>nf"] [line "28"].
>[11/Apr/2011:12:15:40 --0700]
>[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][5] Rule b8578910:
>SecRule "&TX:'/AVAILABILITY\\\\/APP_NOT_AVAIL/'" "@ge 1"
>"phase:5,chain,t:none,log,skipAfter:END_CORRELATION,severity:1,msg:'Correl
>ated Attack Attempt Identified: (Total Score: %{tx.anomaly_score},
>SQLi=%{TX.SQL_INJECTION_SCORE}, XSS=%{TX.XSS_SCORE}) Inbound Attack
>(%{tx.inbound_tx_msg} Inbound Anomaly Score: %{TX.INBOUND_ANOMALY_SCORE})
>+ Outbound Application Error (%{tx.msg} - Outbound Anomaly Score:
>%{TX.OUTBOUND_ANOMALY_SCORE})'"
>[11/Apr/2011:12:15:40 --0700]
>[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Transformation
>completed in 1 usec.
>[11/Apr/2011:12:15:40 --0700]
>[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Executing operator
>"ge" with param "1" against &TX:/AVAILABILITY\/APP_NOT_AVAIL/.
>[11/Apr/2011:12:15:40 --0700]
>[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][9] Target value: "0"
>[11/Apr/2011:12:15:40 --0700]
>[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Operator completed
>in 1 usec.
>[11/Apr/2011:12:15:40 --0700]
>[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Rule returned 0.
>[11/Apr/2011:12:15:40 --0700]
>[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][9] No match, chained
>-> mode NEXT_CHAIN.
>[11/Apr/2011:12:15:40 --0700]
>[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Recipe: Invoking
>rule b8574618; [file
>"/etc/apache2/modsecurity-crs/base_rules/modsecurity_crs_60_correlation.co
>nf"] [line "32"].
>[11/Apr/2011:12:15:40 --0700]
>[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][5] Rule b8574618:
>SecRule "TX:INBOUND_ANOMALY_SCORE" "@gt 0"
>"phase:5,chain,t:none,log,noauditlog,skipAfter:END_CORRELATION,msg:'Inboun
>d Anomaly Score (Total Inbound Score: %{TX.INBOUND_ANOMALY_SCORE},
>SQLi=%{TX.SQL_INJECTION_SCORE}, XSS=%{TX.XSS_SCORE}):
>%{tx.inbound_tx_msg}'"
>[11/Apr/2011:12:15:40 --0700]
>[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Rule returned 0.
>[11/Apr/2011:12:15:40 --0700]
>[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][9] No match, chained
>-> mode NEXT_CHAIN.
>[11/Apr/2011:12:15:40 --0700]
>[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Recipe: Invoking
>rule b8598b18; [file
>"/etc/apache2/modsecurity-crs/base_rules/modsecurity_crs_60_correlation.co
>nf"] [line "36"].
>[11/Apr/2011:12:15:40 --0700]
>[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][5] Rule b8598b18:
>SecRule "TX:INBOUND_ANOMALY_SCORE" "@ge
>%{tx.inbound_anomaly_score_level}"
>"phase:5,t:none,log,noauditlog,pass,msg:'Inbound Anomaly Score Exceeded
>(Total Inbound Score: %{TX.INBOUND_ANOMALY_SCORE},
>SQLi=%{TX.SQL_INJECTION_SCORE}, XSS=%{TX.XSS_SCORE}):
>%{tx.inbound_tx_msg}'"
>[11/Apr/2011:12:15:40 --0700]
>[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Rule returned 0.
>[11/Apr/2011:12:15:40 --0700]
>[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][9] No match, not
>chained -> mode NEXT_RULE.
>[11/Apr/2011:12:15:40 --0700]
>[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Recipe: Invoking
>rule b8585558; [file
>"/etc/apache2/modsecurity-crs/base_rules/modsecurity_crs_60_correlation.co
>nf"] [line "39"].
>[11/Apr/2011:12:15:40 --0700]
>[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][5] Rule b8585558:
>SecRule "TX:OUTBOUND_ANOMALY_SCORE" "@ge
>%{tx.outbound_anomaly_score_level}"
>"phase:5,t:none,log,noauditlog,pass,msg:'Outbound Anomaly Score Exceeded
>(score %{TX.OUTBOUND_ANOMALY_SCORE}): %{tx.msg}'"
>[11/Apr/2011:12:15:40 --0700]
>[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Rule returned 0.
>[11/Apr/2011:12:15:40 --0700]
>[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][9] No match, not
>chained -> mode NEXT_RULE.
>[11/Apr/2011:12:15:40 --0700]
>[localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Audit log: Not
>configured to run for this request.
>
>
>
>--------------------------------------------------------------------------
>----
>Forrester Wave Report - Recovery time is now measured in hours and minutes
>not days. Key insights are discussed in the 2010 Forrester Wave Report as
>part of an in-depth evaluation of disaster recovery service providers.
>Forrester found the best-in-class provider in terms of services and
>vision.
>Read this report now!  http://p.sf.net/sfu/ibm-webcastpromo
>_______________________________________________
>mod-security-developers mailing list
>mod...@li...
>https://lists.sourceforge.net/lists/listinfo/mod-security-developers
>ModSecurity Services from Trustave's SpiderLabs:
>https://www.trustwave.com/spiderLabs.php
>


This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.

[Mod-security-developers] CRS 2.1.2 only phase:5 is shown in the log

[Oleg G. <ole...@ya...>]

I'm trying to make dos_protection working in CRS 2.1.2 and it seems to me that something is grossly wrong with this version. It looks like the only rules that are executed are the ones in "phase:5", everything else is completely ignored.

I have debug level set to 9 and only rules that are shown in the log file are those that in phase 5 (see below). Please let me know what is wrong.

The collections and variables that are set in modsecurity_crs_10_config.conf are not defined (e.g. IP collection and dos_counter_threshold variable)

This is from modsecurity_crs_10_config.con:
-------------------------------------------
SecAction "phase:1,t:none,nolog,pass, \
setvar:'tx.dos_burst_time_slice=60', \
setvar:'tx.dos_counter_threshold=1', \
setvar:'tx.dos_block_timeout=600'"
...
SecAction "phase:1,t:none,pass,nolog,initcol:global=global,initcol:ip=%{remote_addr}_%{tx.ua_hash}"
...

This is from log file:
---------------------
[11/Apr/2011:12:15:40 --0700] [localhost/sid#b85b0b18][rid#b8c2bba8][/][4] Initialising transaction (txid TaNTXH8AAAEAAFC-AdsAAABJ).
[11/Apr/2011:12:15:40 --0700] [localhost/sid#b85b0b18][rid#b8c2bba8][/][4] Transaction context created (dcfg b78714e0).
[11/Apr/2011:12:15:40 --0700] [localhost/sid#b85b0b18][rid#b8c2bba8][/][4] Processing disabled, skipping (hook request_early).
[11/Apr/2011:12:15:40 --0700] [localhost/sid#b85b0b18][rid#b8c2bba8][/][4] PdfProtect: Not enabled here.
[11/Apr/2011:12:15:40 --0700] [localhost/sid#b85b0b18][rid#b8c2bba8][/][4] Processing disabled, skipping (hook request_late).
[11/Apr/2011:12:15:40 --0700] [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Hook insert_filter: Adding PDF XSS protection output filter (r b8c2bba8).
[11/Apr/2011:12:15:40 --0700] [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Hook insert_filter: Processing disabled, skipping.
[11/Apr/2011:12:15:40 --0700] [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Initialising logging.
[11/Apr/2011:12:15:40 --0700] [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Starting phase LOGGING.
[11/Apr/2011:12:15:40 --0700] [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][9] This phase consists of 36 rule(s).
[11/Apr/2011:12:15:40 --0700] [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Recipe: Invoking rule b7ba1cb0; [file "/etc/apache2/modsecurity-crs/base_rules/modsecurity_crs_11_dos_protection.conf"] [line "24"].
[11/Apr/2011:12:15:40 --0700] [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][5] Rule b7ba1cb0: SecRule "IP:DOS_BLOCK" "@eq 1" "phase:5,t:none,nolog,skipAfter:END_DOS_PROTECTION_CHECKS"
[11/Apr/2011:12:15:40 --0700] [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Rule returned 0.
[11/Apr/2011:12:15:40 --0700] [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][9] No match, not chained -> mode NEXT_RULE.
[11/Apr/2011:12:15:40 --0700] [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Recipe: Invoking rule b7ba2438; [file "/etc/apache2/modsecurity-crs/base_rules/modsecurity_crs_11_dos_protection.conf"] [line "30"].
[11/Apr/2011:12:15:40 --0700] [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][5] Rule b7ba2438: SecRule "REQUEST_BASENAME" "!@rx \\.(jpe?g|png|gif|js|css|ico)$" "phase:5,t:none,log,pass,setvar:ip.dos_counter=+1,logdata:'THRESHOLD= %{tx.dos_counter_threshold}; COUNTER=%{ip.dos_counter}'"
[11/Apr/2011:12:15:40 --0700] [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Transformation completed in 1 usec.
[11/Apr/2011:12:15:40 --0700] [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Executing operator "!rx" with param "\\.(jpe?g|png|gif|js|css|ico)$" against REQUEST_BASENAME.
[11/Apr/2011:12:15:40 --0700] [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][9] Target value: ""
[11/Apr/2011:12:15:40 --0700] [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][6] Ignoring regex captures since "capture" action is not enabled.
[11/Apr/2011:12:15:40 --0700] [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Operator completed in 17 usec.
[11/Apr/2011:12:15:40 --0700] [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][9] Setting variable: ip.dos_counter=+1
[11/Apr/2011:12:15:40 --0700] [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][3] Could not set variable "ip.dos_counter" as the collection does not exist.
[11/Apr/2011:12:15:40 --0700] [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][2] Warning. Match of "rx \\.(jpe?g|png|gif|js|css|ico)$" against "REQUEST_BASENAME" required. [file "/etc/apache2/modsecurity-crs/base_rules/modsecurity_crs_11_dos_protection.conf"] [line "30"] [data "THRESHOLD= ; COUNTER="]
[11/Apr/2011:12:15:40 --0700] [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Rule returned 1.
[11/Apr/2011:12:15:40 --0700] [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][9] Match -> mode NEXT_RULE.
[11/Apr/2011:12:15:40 --0700] [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Recipe: Invoking rule b7ba30f8; [file "/etc/apache2/modsecurity-crs/base_rules/modsecurity_crs_11_dos_protection.conf"] [line "37"].
[11/Apr/2011:12:15:40 --0700] [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][5] Rule b7ba30f8: SecRule "IP:DOS_COUNTER" "@gt %{tx.dos_counter_threshold}" "phase:5,t:none,nolog,pass,t:none,setvar:ip.dos_burst_counter=+1,expirevar:ip.dos_burst_counter=%{tx.dos_burst_time_slice},setvar:!ip.dos_counter"
[11/Apr/2011:12:15:40 --0700] [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Rule returned 0.
[11/Apr/2011:12:15:40 --0700] [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][9] No match, not chained -> mode NEXT_RULE.
[11/Apr/2011:12:15:40 --0700] [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Recipe: Invoking rule b7bca648; [file "/etc/apache2/modsecurity-crs/base_rules/modsecurity_crs_11_dos_protection.conf"] [line "44"].
[11/Apr/2011:12:15:40 --0700] [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][5] Rule b7bca648: SecRule "IP:DOS_BURST_COUNTER" "@ge 1" "phase:5,t:none,log,pass,msg:'Potential Denial of Service (DoS) Attack from %{remote_addr} - # of Request Bursts: %{ip.dos_burst_counter}',setvar:ip.dos_block=1,expirevar:ip.dos_block=%{tx.dos_block_timeout}"
[11/Apr/2011:12:15:40 --0700] [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Rule returned 0.
[11/Apr/2011:12:15:40 --0700] [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][9] No match, not chained -> mode NEXT_RULE.
[11/Apr/2011:12:15:40 --0700] [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Recipe: Invoking rule b85598c8; [file "/etc/apache2/modsecurity-crs/base_rules/modsecurity_crs_60_correlation.conf"] [line "21"].
[11/Apr/2011:12:15:40 --0700] [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][5] Rule b85598c8: SecRule "&TX:'/LEAKAGE\\\\/ERRORS/'" "@ge 1" "phase:5,chain,t:none,log,skipAfter:END_CORRELATION,severity:0,msg:'Correlated Successful Attack Identified: (Total Score: %{tx.anomaly_score}, SQLi=%{TX.SQL_INJECTION_SCORE}, XSS=%{TX.XSS_SCORE}) Inbound Attack (%{tx.inbound_tx_msg} - Inbound Anomaly Score: %{TX.INBOUND_ANOMALY_SCORE}) + Outbound Data Leakage (%{tx.msg} - Outbound Anomaly Score: %{TX.OUTBOUND_ANOMALY_SCORE})'"
[11/Apr/2011:12:15:40 --0700] [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Transformation completed in 1 usec.
[11/Apr/2011:12:15:40 --0700] [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Executing operator "ge" with param "1" against &TX:/LEAKAGE\/ERRORS/.
[11/Apr/2011:12:15:40 --0700] [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][9] Target value: "0"
[11/Apr/2011:12:15:40 --0700] [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Operator completed in 2 usec.
[11/Apr/2011:12:15:40 --0700] [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Rule returned 0.
[11/Apr/2011:12:15:40 --0700] [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][9] No match, chained -> mode NEXT_CHAIN.
[11/Apr/2011:12:15:40 --0700] [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Recipe: Invoking rule b8578910; [file "/etc/apache2/modsecurity-crs/base_rules/modsecurity_crs_60_correlation.conf"] [line "28"].
[11/Apr/2011:12:15:40 --0700] [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][5] Rule b8578910: SecRule "&TX:'/AVAILABILITY\\\\/APP_NOT_AVAIL/'" "@ge 1" "phase:5,chain,t:none,log,skipAfter:END_CORRELATION,severity:1,msg:'Correlated Attack Attempt Identified: (Total Score: %{tx.anomaly_score}, SQLi=%{TX.SQL_INJECTION_SCORE}, XSS=%{TX.XSS_SCORE}) Inbound Attack (%{tx.inbound_tx_msg} Inbound Anomaly Score: %{TX.INBOUND_ANOMALY_SCORE}) + Outbound Application Error (%{tx.msg} - Outbound Anomaly Score: %{TX.OUTBOUND_ANOMALY_SCORE})'"
[11/Apr/2011:12:15:40 --0700] [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Transformation completed in 1 usec.
[11/Apr/2011:12:15:40 --0700] [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Executing operator "ge" with param "1" against &TX:/AVAILABILITY\/APP_NOT_AVAIL/.
[11/Apr/2011:12:15:40 --0700] [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][9] Target value: "0"
[11/Apr/2011:12:15:40 --0700] [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Operator completed in 1 usec.
[11/Apr/2011:12:15:40 --0700] [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Rule returned 0.
[11/Apr/2011:12:15:40 --0700] [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][9] No match, chained -> mode NEXT_CHAIN.
[11/Apr/2011:12:15:40 --0700] [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Recipe: Invoking rule b8574618; [file "/etc/apache2/modsecurity-crs/base_rules/modsecurity_crs_60_correlation.conf"] [line "32"].
[11/Apr/2011:12:15:40 --0700] [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][5] Rule b8574618: SecRule "TX:INBOUND_ANOMALY_SCORE" "@gt 0" "phase:5,chain,t:none,log,noauditlog,skipAfter:END_CORRELATION,msg:'Inbound Anomaly Score (Total Inbound Score: %{TX.INBOUND_ANOMALY_SCORE}, SQLi=%{TX.SQL_INJECTION_SCORE}, XSS=%{TX.XSS_SCORE}): %{tx.inbound_tx_msg}'"
[11/Apr/2011:12:15:40 --0700] [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Rule returned 0.
[11/Apr/2011:12:15:40 --0700] [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][9] No match, chained -> mode NEXT_CHAIN.
[11/Apr/2011:12:15:40 --0700] [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Recipe: Invoking rule b8598b18; [file "/etc/apache2/modsecurity-crs/base_rules/modsecurity_crs_60_correlation.conf"] [line "36"].
[11/Apr/2011:12:15:40 --0700] [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][5] Rule b8598b18: SecRule "TX:INBOUND_ANOMALY_SCORE" "@ge %{tx.inbound_anomaly_score_level}" "phase:5,t:none,log,noauditlog,pass,msg:'Inbound Anomaly Score Exceeded (Total Inbound Score: %{TX.INBOUND_ANOMALY_SCORE}, SQLi=%{TX.SQL_INJECTION_SCORE}, XSS=%{TX.XSS_SCORE}): %{tx.inbound_tx_msg}'"
[11/Apr/2011:12:15:40 --0700] [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Rule returned 0.
[11/Apr/2011:12:15:40 --0700] [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][9] No match, not chained -> mode NEXT_RULE.
[11/Apr/2011:12:15:40 --0700] [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Recipe: Invoking rule b8585558; [file "/etc/apache2/modsecurity-crs/base_rules/modsecurity_crs_60_correlation.conf"] [line "39"].
[11/Apr/2011:12:15:40 --0700] [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][5] Rule b8585558: SecRule "TX:OUTBOUND_ANOMALY_SCORE" "@ge %{tx.outbound_anomaly_score_level}" "phase:5,t:none,log,noauditlog,pass,msg:'Outbound Anomaly Score Exceeded (score %{TX.OUTBOUND_ANOMALY_SCORE}): %{tx.msg}'"
[11/Apr/2011:12:15:40 --0700] [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Rule returned 0.
[11/Apr/2011:12:15:40 --0700] [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][9] No match, not chained -> mode NEXT_RULE.
[11/Apr/2011:12:15:40 --0700] [localhost/sid#b85b0b18][rid#b8c2bba8][/index.html][4] Audit log: Not configured to run for this request.

[Mod-security-developers] [JIRA] Resolved: (MODSEC-31) Allow ModSecurity to inspect the response of internal redirects and ErrorDocuments

[Breno S. P. (JIRA) <no...@mo...>]

     [ https://www.modsecurity.org/tracker/browse/MODSEC-31?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Breno Silva Pinto resolved MODSEC-31.
-------------------------------------

    Resolution: Not a Bug

It seems to be not a bug. I re-enabled this for 2.6.0. If we have any new issue i will investigate

> Allow ModSecurity to inspect the response of internal redirects and ErrorDocuments
> ----------------------------------------------------------------------------------
>
>                 Key: MODSEC-31
>                 URL: https://www.modsecurity.org/tracker/browse/MODSEC-31
>             Project: ModSecurity
>          Issue Type: Improvement
>      Security Level: Normal
>          Components: Core
>    Affects Versions: 2.5.7
>            Reporter: Brian Rectanus
>            Assignee: Breno Silva Pinto
>            Priority: Low
>             Fix For: 2.6.0
>
>
> Inspection of internal redirects and error docs was removed from 2.5 due to this causing some strange errors in some circumstances.  This should be fixed and the feature re-enabled.  See MODSEC-30 for a good example of why.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: https://www.modsecurity.org/tracker/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

[Mod-security-developers] [JIRA] Resolved: (MODSEC-151) Enhanced @rbl support

[Breno S. P. (JIRA) <no...@mo...>]

     [ https://www.modsecurity.org/tracker/browse/MODSEC-151?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Breno Silva Pinto resolved MODSEC-151.
--------------------------------------

    Resolution: Fixed

I added return code checks for URIBL and SpamHaus.  Also using capture keyword the match msg will be into tx.0

> Enhanced @rbl support
> ---------------------
>
>                 Key: MODSEC-151
>                 URL: https://www.modsecurity.org/tracker/browse/MODSEC-151
>             Project: ModSecurity
>          Issue Type: Improvement
>      Security Level: Normal
>          Components: Operators
>            Reporter: Brian Rectanus
>            Assignee: Breno Silva Pinto
>             Fix For: 2.6.0
>
>
> Need to enhance @rbl so that we can check the values returned in the last octet.  Maybe just place the value in RBL var?  Or maybe make "capture" save it to TX.0?
> Problem is that we really need bitwise operators to check the values ;)
> For example:
> multi.uribl.com list contains all of the list data, and is the list that we recommend you query to produce your results instead of making seperate requests to each list. If a domain is found on multi, it will return a IP address of 127.0.0.X where X is the value for what list it is on. See the following reference..
> X   Binary    On List
> ------------------------------------------------------
> 2   00000010  black
> 4   00000100  grey
> 8   00001000  red
> 14  00001110  black,grey,red (for testpoints)
> 255 11111111  your DNS is blocked from querying URIBL
> ------------------------------------------------------

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: https://www.modsecurity.org/tracker/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

[Mod-security-developers] [JIRA] Resolved: (MODCOMM-6) Review Marc Stern's t:cmdLine

[Ryan B. (JIRA) <tr...@mo...>]

     [ https://www.modsecurity.org/tracker/browse/MODCOMM-6?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Ryan Barnett resolved MODCOMM-6.
--------------------------------

    Resolution: Fixed

Added the new cmdLine tfn code

> Review Marc Stern's t:cmdLine
> -----------------------------
>
>                 Key: MODCOMM-6
>                 URL: https://www.modsecurity.org/tracker/browse/MODCOMM-6
>             Project: ModSecurity Community
>          Issue Type: Task
>      Security Level: Normal
>          Components: Development
>            Reporter: Ivan Ristic
>            Assignee: Breno Silva Pinto
>


-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: https://www.modsecurity.org/tracker/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

[Mod-security-developers] FW: ModSecurity Update: Increasing Community Involvement

[Ryan B. <RBa...@tr...>]

Greetings everyone,
Trustwave has some big news today for the ModSecurity Project:
http://blog.spiderlabs.com/2011/03/modsecurity-update-increasing-community-involvement.html

The most important news is that we are changing from the GPLv2 license to the Apache Software v2 License.  This will allow for wider adoption and development of ModSecurity.

Check out our updated homepage - http://www.modsecurity.org/ - which also now includes a link to a page for Developers (http://www.modsecurity.org/developers/).  If you would like to contribute code/enhancements to ModSecurity please sign up for the Developers mail-list (http://lists.sourceforge.net/lists/listinfo/mod-security-developers) and send us a note.

Cheers,
Ryan

________________________________
This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.

[Mod-security-developers] [JIRA] Resolved: (MODSEC-141) Add basic pattern matching to @pm

[Breno S. P. (JIRA) <no...@mo...>]

     [ https://www.modsecurity.org/tracker/browse/MODSEC-141?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Breno Silva Pinto resolved MODSEC-141.
--------------------------------------

    Resolution: Fixed

The pattern matching operator now support the syntax:

breno
ry|61|n
|41 42 43 44|
function|28|re|28|s,n,r,b,e|29|

This will make ours operator more powerful.

> Add basic pattern matching to @pm
> ---------------------------------
>
>                 Key: MODSEC-141
>                 URL: https://www.modsecurity.org/tracker/browse/MODSEC-141
>             Project: ModSecurity
>          Issue Type: Improvement
>      Security Level: Normal
>          Components: Operators
>            Reporter: Brian Rectanus
>            Assignee: Breno Silva Pinto
>             Fix For: 2.6.0
>
>
> The @pm operator needs to be able to handle basic characterset patterns like boundaries, whitespace, alpha, numeric, etc.
> Probably need to be all anchors or 1:1 mappings (ie no variable width patterns like \s+).
> PCRE style character class identifiers should be used (ie \b, \s, \S, etc.)
> Need a way to escape them. (ie \\b)
> Need a way to use non-printable characters (ie \x00) and escape them (ie \\x00)
> Need to be possible:
> - \bword\b
> - \b1.2.3.4.5\b
> - \b1.2.3.
> - \bparam\d
> - \b\d\d\d\d-\d\d\d\d-\d\d\d\d-\d\d\d\d\b

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: https://www.modsecurity.org/tracker/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

[Mod-security-developers] [JIRA] Resolved: (MODSEC-178) Rule removal by tag

[Breno S. P. (JIRA) <no...@mo...>]

     [ https://www.modsecurity.org/tracker/browse/MODSEC-178?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Breno Silva Pinto resolved MODSEC-178.
--------------------------------------

    Resolution: Fixed

> Rule removal by tag
> -------------------
>
>                 Key: MODSEC-178
>                 URL: https://www.modsecurity.org/tracker/browse/MODSEC-178
>             Project: ModSecurity
>          Issue Type: New Feature
>      Security Level: Normal
>          Components: Configuration
>    Affects Versions: 2.5.12
>         Environment: CentOS release 5.5 (Final)
> mod_security-2.5.12-1.el5 (EPEL)
>            Reporter: George Notaras
>            Assignee: Breno Silva Pinto
>             Fix For: 2.6.0
>
>
> Removing rules by tag would be an extremely useful feature as it would facilitate the clean removal of several rules at once.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: https://www.modsecurity.org/tracker/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

[Mod-security-developers] [JIRA] Resolved: (MODSEC-32) SecAuditLogParts I does not log uploaded filenames

[Breno S. P. (JIRA) <no...@mo...>]

     [ https://www.modsecurity.org/tracker/browse/MODSEC-32?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Breno Silva Pinto resolved MODSEC-32.
-------------------------------------

    Resolution: Fixed

> SecAuditLogParts I does not log uploaded filenames
> --------------------------------------------------
>
>                 Key: MODSEC-32
>                 URL: https://www.modsecurity.org/tracker/browse/MODSEC-32
>             Project: ModSecurity
>          Issue Type: Improvement
>      Security Level: Normal
>          Components: Core
>    Affects Versions: 2.5.7
>         Environment: Windows and Unix
>            Reporter: Marc Stern
>            Assignee: Breno Silva Pinto
>             Fix For: 2.6.0
>
>
> When using "SecAuditLogParts  ABCFHZ", we see in the log the complete uploaded files, together with their name.
> When using "SecAuditLogParts  ABIFHZ", we obviously do not see the uploaded files content, but their name is not logged. Other arguments are logged.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: https://www.modsecurity.org/tracker/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

[Mod-security-developers] [JIRA] Resolved: (MODSEC-38) The @rx and @pm parameters are not escaped before they are used in messages

[Breno S. P. (JIRA) <no...@mo...>]

     [ https://www.modsecurity.org/tracker/browse/MODSEC-38?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Breno Silva Pinto resolved MODSEC-38.
-------------------------------------

    Resolution: Fixed

> The @rx and @pm parameters are not escaped before they are used in messages
> ---------------------------------------------------------------------------
>
>                 Key: MODSEC-38
>                 URL: https://www.modsecurity.org/tracker/browse/MODSEC-38
>             Project: ModSecurity
>          Issue Type: Bug
>      Security Level: Normal
>          Components: Core
>    Affects Versions: 2.5.6, 2.5.7, 2.5.8, 2.5.9
>            Reporter: Ivan Ristic
>            Assignee: Breno Silva Pinto
>             Fix For: 2.6.0
>
>
> The @rx and @pm parameters are not escaped before they are used in messages. So, for example, if a parameter to @rx is " (one double quote), the associated message will say """ (three double quotes), instead of "\"". Same for @pm.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: https://www.modsecurity.org/tracker/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

[Mod-security-developers] [JIRA] Resolved: (MODSEC-214) Save gsblookup match in Tx collection

[Breno S. P. (JIRA) <no...@mo...>]

     [ https://www.modsecurity.org/tracker/browse/MODSEC-214?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Breno Silva Pinto resolved MODSEC-214.
--------------------------------------

    Resolution: Fixed

> Save gsblookup match in Tx collection
> -------------------------------------
>
>                 Key: MODSEC-214
>                 URL: https://www.modsecurity.org/tracker/browse/MODSEC-214
>             Project: ModSecurity
>          Issue Type: Improvement
>      Security Level: Normal
>    Affects Versions: 2.5.13
>            Reporter: Breno Silva Pinto
>            Assignee: Breno Silva Pinto
>             Fix For: 2.6.0
>
>


-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: https://www.modsecurity.org/tracker/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

[Mod-security-developers] [JIRA] Resolved: (MODSEC-215) Add cmdline transformation (by Marc Stern)

[Breno S. P. (JIRA) <no...@mo...>]

     [ https://www.modsecurity.org/tracker/browse/MODSEC-215?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Breno Silva Pinto resolved MODSEC-215.
--------------------------------------

    Resolution: Fixed

> Add cmdline transformation (by Marc Stern)
> ------------------------------------------
>
>                 Key: MODSEC-215
>                 URL: https://www.modsecurity.org/tracker/browse/MODSEC-215
>             Project: ModSecurity
>          Issue Type: New Feature
>      Security Level: Normal
>          Components: Transformations
>            Reporter: Breno Silva Pinto
>            Assignee: Breno Silva Pinto
>             Fix For: 2.6.0
>
>


-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: https://www.modsecurity.org/tracker/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira