mod-security-users

[mod-security-users] Upcoming OWASP ModSecurity Core Rule Set Security Releases

[Christian F. <chr...@ne...>]

Dear all,

A security problem with the OWASP ModSecurity Core Rule Set has been brought
to our attention recently. The CRS team is now working on a fix that will be
released on Wednesday as 3.1.2, 3.2.1 and 3.3.2.

More infos at 

https://coreruleset.org/20210628/upcoming-crs-security-releases/

Best regards,

Christian Folini, CRS Co-Lead


-- 
The intersection of all majorities is the empty set - The 
union of even the smallest minorities is the universal set.
--- Linus Thorvalds

[mod-security-users] about ip/IP

[<877...@qq...>]

hi, all:


For below rule, two high lighted IP/ip will be translated to client IP address ? only in this case, it is reasonable.


SecRule IP:DOS_BURST_COUNTER "@ge 1" \
    "id:912171,\
    phase:5,\
    pass,\
    t:none,\
    log,\
    msg:'Potential Denial of Service (DoS) Attack from %{tx.real_ip} - # of Request Bursts: %{ip.dos_burst_counter}',\
    tag:'application-multi',\
    tag:'language-multi',\
    tag:'platform-multi',\
    tag:'attack-dos',\
    tag:'paranoia-level/2',\
    ver:'OWASP_CRS/3.2.0',\
    setvar:'ip.dos_block=1',\
    expirevar:'ip.dos_block=%{tx.dos_block_timeout}'"





Thanks
huiming

Re: [mod-security-users] about ip/IP

[<877...@qq...>]

but I DO NOT find any document that  ip (low case) will be translated to brower ip.




------------------ Original ------------------
From:                                                                                                                        "mod-security-users"                                                                                    <mod...@li...&gt;;
Date:&nbsp;Wed, Jun 30, 2021 10:17 AM
To:&nbsp;"mod-security-users"<mod...@li...&gt;;
Cc:&nbsp;"huiming"<877...@qq...&gt;;
Subject:&nbsp;[mod-security-users] about ip/IP



hi, all:


For below rule, two high lighted IP/ip will be translated to client IP address ? only in this case, it is reasonable.


SecRule IP:DOS_BURST_COUNTER "@ge 1" \
&nbsp; &nbsp; "id:912171,\
&nbsp; &nbsp; phase:5,\
&nbsp; &nbsp; pass,\
&nbsp; &nbsp; t:none,\
&nbsp; &nbsp; log,\
&nbsp; &nbsp; msg:'Potential Denial of Service (DoS) Attack from %{tx.real_ip} - # of Request Bursts: %{ip.dos_burst_counter}',\
&nbsp; &nbsp; tag:'application-multi',\
&nbsp; &nbsp; tag:'language-multi',\
&nbsp; &nbsp; tag:'platform-multi',\
&nbsp; &nbsp; tag:'attack-dos',\
&nbsp; &nbsp; tag:'paranoia-level/2',\
&nbsp; &nbsp; ver:'OWASP_CRS/3.2.0',\
&nbsp; &nbsp; setvar:'ip.dos_block=1',\
&nbsp; &nbsp; expirevar:'ip.dos_block=%{tx.dos_block_timeout}'"





Thanks
huiming

Re: [mod-security-users] about ip/IP

[<877...@qq...>]

I found it , ip is initialized in configation file REQUEST-901-INITIALIZATION.conf file




------------------ Original ------------------
From:                                                                                                                        "mod-security-users"                                                                                    <mod...@li...&gt;;
Date:&nbsp;Wed, Jun 30, 2021 10:33 AM
To:&nbsp;"mod-security-users"<mod...@li...&gt;;
Cc:&nbsp;"huiming"<877...@qq...&gt;;
Subject:&nbsp;Re: [mod-security-users] about ip/IP



but I DO NOT find any document that&nbsp; ip (low case) will be translated to brower ip.




------------------ Original ------------------
From:                                                                                                                        "mod-security-users"                                                                                    <mod...@li...&gt;;
Date:&nbsp;Wed, Jun 30, 2021 10:17 AM
To:&nbsp;"mod-security-users"<mod...@li...&gt;;
Cc:&nbsp;"huiming"<877...@qq...&gt;;
Subject:&nbsp;[mod-security-users] about ip/IP



hi, all:


For below rule, two high lighted IP/ip will be translated to client IP address ? only in this case, it is reasonable.


SecRule IP:DOS_BURST_COUNTER "@ge 1" \
&nbsp; &nbsp; "id:912171,\
&nbsp; &nbsp; phase:5,\
&nbsp; &nbsp; pass,\
&nbsp; &nbsp; t:none,\
&nbsp; &nbsp; log,\
&nbsp; &nbsp; msg:'Potential Denial of Service (DoS) Attack from %{tx.real_ip} - # of Request Bursts: %{ip.dos_burst_counter}',\
&nbsp; &nbsp; tag:'application-multi',\
&nbsp; &nbsp; tag:'language-multi',\
&nbsp; &nbsp; tag:'platform-multi',\
&nbsp; &nbsp; tag:'attack-dos',\
&nbsp; &nbsp; tag:'paranoia-level/2',\
&nbsp; &nbsp; ver:'OWASP_CRS/3.2.0',\
&nbsp; &nbsp; setvar:'ip.dos_block=1',\
&nbsp; &nbsp; expirevar:'ip.dos_block=%{tx.dos_block_timeout}'"





Thanks
huiming