Thread: [mod-security-users] Logging POST body ...
Brought to you by:
victorhora,
zimmerletw
From: Kiffin G. <Kif...@to...> - 2008-01-23 07:52:42
|
Hi there. I've been struggling some time now with this problem writing my own apache module and was hoping someone from this fine forum could help me. What's the easiest way to trace the body of a given POST-request in a separate log file dedicated to posts of a certain class, allowing the request to pass through untouched to its original destination? These are simple posts which are no larger than 1K. I've searched through the mod_security code and noticed some stuff but it seems too complicated for this simple task I want to code up. Thanks alot in advance, Kiffin --=20 Kiffin Gish |
From: Kiffin G. <kif...@to...> - 2008-01-23 17:37:26
|
Hi Chris, You recently sent me an answer to my question how to log the body of POST requests, and you suggested I use the following lines: SecRuleEngine On SecRequestBodyAccess On SecAuditEngine On SecAuditLogType Concurrent SecAuditLogDataDir /path/to/log-directory SecAuditLogParts ABCFHZ|| SecDefaultAction "nolog,noauditlog,allow,phase:2" SecRule REQUEST_METHOD "^POST$" "chain,phase:2" SecRule REQUEST_URI "/your/uri" "auditlog,allow" However, when I fire up apache I get the following errors: - Invalid parts specification for SecAuditLogParts: ABCFHZ|| So I just remove the "||" which seems to solve it, but then I get: - ModSecurity: Disruptive actions can only be specified by chain starter rules. which applies to the last SecRule. What's going wrong? Thanks again, Kiffin -- Kiffin Gish | Desktop & Services Development | TomTom | kif...@to... | +31 (0) 6 15529214 mobile | +31 (0) 20 850 0989 office This e-mail message contains information which is confidential and may be privileged. It is intended for use by the addressee only. If you are not the intended addressee, we request that you notify the sender immediately and delete or destroy this e-mail message and any attachment(s), without copying, saving, forwarding, disclosing or using its contents in any other way. TomTom N.V., TomTom International BV or any other company belonging to the TomTom group of companies will not be liable for damage relating to the communication by e-mail of data, documents or any other information. |
From: Ivan R. <iva...@gm...> - 2008-01-23 17:44:42
|
A typo; just move "allow" to the first rule (the one that specifies phase). On Jan 23, 2008 5:36 PM, Kiffin Gish <kif...@to...> wrote: > Hi Chris, > > You recently sent me an answer to my question how to log the body of > POST requests, and you suggested I use the following lines: > > SecRuleEngine On > SecRequestBodyAccess On > > SecAuditEngine On > SecAuditLogType Concurrent > SecAuditLogDataDir /path/to/log-directory > SecAuditLogParts ABCFHZ|| > SecDefaultAction "nolog,noauditlog,allow,phase:2" > > SecRule REQUEST_METHOD "^POST$" "chain,phase:2" > SecRule REQUEST_URI "/your/uri" "auditlog,allow" > > However, when I fire up apache I get the following errors: > > - Invalid parts specification for SecAuditLogParts: ABCFHZ|| > > So I just remove the "||" which seems to solve it, but then I get: > > - ModSecurity: Disruptive actions can only be specified by chain starter > rules. > > which applies to the last SecRule. > > What's going wrong? > > Thanks again, > Kiffin > > > -- > Kiffin Gish | Desktop & Services Development | TomTom | kif...@to... | +31 (0) 6 15529214 mobile | +31 (0) 20 850 0989 office > > > > This e-mail message contains information which is confidential and may be privileged. It is intended for use by the addressee only. If you are not the intended addressee, we request that you notify the sender immediately and delete or destroy this e-mail message and any attachment(s), without copying, saving, forwarding, disclosing or using its contents in any other way. TomTom N.V., TomTom International BV or any other company belonging to the TomTom group of companies will not be liable for damage relating to the communication by e-mail of data, documents or any other information. > > ------------------------------------------------------------------------- > This SF.net email is sponsored by: Microsoft > Defy all challenges. Microsoft(R) Visual Studio 2008. > http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > -- Ivan Ristic |
From: Avi A. <av...@br...> - 2008-01-23 17:46:40
|
Also take a look at the doc to see what actions are defined as disruptive: http://www.modsecurity.org/documentation/modsecurity-apache/2.5.0-rc1/ht ml-multipage/07-actions.html Avi > -----Original Message----- > From: mod...@li... [mailto:mod- > sec...@li...] On Behalf Of Ivan Ristic > Sent: Wednesday, January 23, 2008 7:45 PM > To: Kiffin Gish > Cc: Christian Bockermann; mod-security-users > Subject: Re: [mod-security-users] Logging POST body ... >=20 > A typo; just move "allow" to the first rule (the one that specifies > phase). >=20 > On Jan 23, 2008 5:36 PM, Kiffin Gish <kif...@to...> wrote: > > Hi Chris, > > > > You recently sent me an answer to my question how to log the body of > > POST requests, and you suggested I use the following lines: > > > > SecRuleEngine On > > SecRequestBodyAccess On > > > > SecAuditEngine On > > SecAuditLogType Concurrent > > SecAuditLogDataDir /path/to/log-directory > > SecAuditLogParts ABCFHZ|| > > SecDefaultAction "nolog,noauditlog,allow,phase:2" > > > > SecRule REQUEST_METHOD "^POST$" "chain,phase:2" > > SecRule REQUEST_URI "/your/uri" "auditlog,allow" > > > > However, when I fire up apache I get the following errors: > > > > - Invalid parts specification for SecAuditLogParts: ABCFHZ|| > > > > So I just remove the "||" which seems to solve it, but then I get: > > > > - ModSecurity: Disruptive actions can only be specified by chain starter > > rules. > > > > which applies to the last SecRule. > > > > What's going wrong? > > > > Thanks again, > > Kiffin > > > > > > -- > > Kiffin Gish | Desktop & Services Development | TomTom | > kif...@to... | +31 (0) 6 15529214 mobile | +31 (0) 20 850 0989 > office > > > > > > > > This e-mail message contains information which is confidential and may > be privileged. It is intended for use by the addressee only. If you are > not the intended addressee, we request that you notify the sender > immediately and delete or destroy this e-mail message and any > attachment(s), without copying, saving, forwarding, disclosing or using > its contents in any other way. TomTom N.V., TomTom International BV or any > other company belonging to the TomTom group of companies will not be > liable for damage relating to the communication by e-mail of data, > documents or any other information. > > > > ------------------------------------------------------------------------ > - > > This SF.net email is sponsored by: Microsoft > > Defy all challenges. Microsoft(R) Visual Studio 2008. > > http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ > > _______________________________________________ > > mod-security-users mailing list > > mod...@li... > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > >=20 >=20 >=20 > -- > Ivan Ristic >=20 > ------------------------------------------------------------------------ - > This SF.net email is sponsored by: Microsoft > Defy all challenges. Microsoft(R) Visual Studio 2008. > http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users |
From: Kiffin G. <kif...@to...> - 2008-01-23 18:15:41
|
That was it, thanks! Now it works ... - Kiffin Gish | Desktop & Services Development | TomTom | kif...@to... | +31 (0) 6 15529214 mobile | +31 (0) 20 850 0989 office On Wed, 2008-01-23 at 17:44 +0000, Ivan Ristic wrote: > A typo; just move "allow" to the first rule (the one that specifies phase). > > On Jan 23, 2008 5:36 PM, Kiffin Gish <kif...@to...> wrote: > > Hi Chris, > > > > You recently sent me an answer to my question how to log the body of > > POST requests, and you suggested I use the following lines: > > > > SecRuleEngine On > > SecRequestBodyAccess On > > > > SecAuditEngine On > > SecAuditLogType Concurrent > > SecAuditLogDataDir /path/to/log-directory > > SecAuditLogParts ABCFHZ|| > > SecDefaultAction "nolog,noauditlog,allow,phase:2" > > > > SecRule REQUEST_METHOD "^POST$" "chain,phase:2" > > SecRule REQUEST_URI "/your/uri" "auditlog,allow" > > > > However, when I fire up apache I get the following errors: > > > > - Invalid parts specification for SecAuditLogParts: ABCFHZ|| > > > > So I just remove the "||" which seems to solve it, but then I get: > > > > - ModSecurity: Disruptive actions can only be specified by chain starter > > rules. > > > > which applies to the last SecRule. > > > > What's going wrong? > > > > Thanks again, > > Kiffin > > > > > > -- > > Kiffin Gish | Desktop & Services Development | TomTom | kif...@to... | +31 (0) 6 15529214 mobile | +31 (0) 20 850 0989 office > > > > > > > > This e-mail message contains information which is confidential and may be privileged. It is intended for use by the addressee only. If you are not the intended addressee, we request that you notify the sender immediately and delete or destroy this e-mail message and any attachment(s), without copying, saving, forwarding, disclosing or using its contents in any other way. TomTom N.V., TomTom International BV or any other company belonging to the TomTom group of companies will not be liable for damage relating to the communication by e-mail of data, documents or any other information. > > > > ------------------------------------------------------------------------- > > This SF.net email is sponsored by: Microsoft > > Defy all challenges. Microsoft(R) Visual Studio 2008. > > http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ > > _______________________________________________ > > mod-security-users mailing list > > mod...@li... > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > > > > This e-mail message contains information which is confidential and may be privileged. It is intended for use by the addressee only. If you are not the intended addressee, we request that you notify the sender immediately and delete or destroy this e-mail message and any attachment(s), without copying, saving, forwarding, disclosing or using its contents in any other way. TomTom N.V., TomTom International BV or any other company belonging to the TomTom group of companies will not be liable for damage relating to the communication by e-mail of data, documents or any other information. |
From: Christian B. <ch...@jw...> - 2008-01-23 08:37:25
|
If I got you right then you do not want filtering with ModSecurity, but just the logging. If that's it, then you might get along with this: SecRuleEngine On SecRequestBodyAccess On SecAuditEngine On SecAuditLogType Concurrent SecAuditLogDataDir /path/to/log-directory SecAuditLogParts ABCFHZ|| SecDefaultAction "nolog,noauditlog,allow,phase:2" SecRule REQUEST_METHOD "^POST$" "chain,phase:2" SecRule REQUEST_URI "/your/uri" "auditlog,allow" This will turn on the AuditEngine used for logging requests. Logging is only done on demand (because the default-action says "noauditlog"). In order to log the request-body you need the rule-engine turned on (otherwise SecRequestBodyAccess will have no effect, IIRC). With the last two rules all POST-request to a specific URI (replace "/your/uri" by your path) will be logged to the audit-log. Using the concurrent audit-log format will create a file for each request within /path/to/log-directory. The files are further divided into directories according to their timestamp. If you're interested in investigating local audit-log data (for debugging, etc.) you might want to have a look at my AuditViewer application. It is a simple graphical tool for reviewing audit-log data. You can find it at http://www.jwall.org/web/audit/viewer.jsp Regards, Chris Kiffin Gish wrote: > > Hi there. > > I've been struggling some time now with this problem writing my own > apache module and was hoping someone from this fine forum could help me. > > What's the easiest way to trace the body of a given POST-request in a > separate log file dedicated to posts of a certain class, allowing the > request to pass through untouched to its original destination? These are > simple posts which are no larger than 1K. > > I've searched through the mod_security code and noticed some stuff but > it seems too complicated for this simple task I want to code up. > > Thanks alot in advance, > Kiffin > > -- > Kiffin Gish > > ------------------------------------------------------------------------ > > ------------------------------------------------------------------------- > This SF.net email is sponsored by: Microsoft > Defy all challenges. Microsoft(R) Visual Studio 2008. > http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ > ------------------------------------------------------------------------ > > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > |
From: Kiffin G. <kif...@to...> - 2008-01-23 08:52:39
|
Thanks alot for the tip Chris, I'll give it a go. On Wed, 2008-01-23 at 09:36 +0100, Christian Bockermann wrote: > If I got you right then you do not want filtering with ModSecurity, but > just the logging. > If that's it, then you might get along with this: > > > SecRuleEngine On > SecRequestBodyAccess On > > SecAuditEngine On > SecAuditLogType Concurrent > SecAuditLogDataDir /path/to/log-directory > SecAuditLogParts ABCFHZ|| > SecDefaultAction "nolog,noauditlog,allow,phase:2" > > SecRule REQUEST_METHOD "^POST$" "chain,phase:2" > SecRule REQUEST_URI "/your/uri" "auditlog,allow" > > > This will turn on the AuditEngine used for logging requests. Logging is > only done on demand (because the default-action says "noauditlog"). In > order to log the request-body you need the rule-engine turned on > (otherwise SecRequestBodyAccess will have no effect, IIRC). > > With the last two rules all POST-request to a specific URI (replace > "/your/uri" by your path) will be logged to the audit-log. Using the > concurrent audit-log format will create a file for each request within > /path/to/log-directory. > The files are further divided into directories according to their timestamp. > > If you're interested in investigating local audit-log data (for > debugging, etc.) you might want to have a look at my AuditViewer > application. It is a simple graphical tool for reviewing audit-log data. > You can find it at http://www.jwall.org/web/audit/viewer.jsp > > Regards, > Chris > > > Kiffin Gish wrote: > > > > Hi there. > > > > I've been struggling some time now with this problem writing my own > > apache module and was hoping someone from this fine forum could help me. > > > > What's the easiest way to trace the body of a given POST-request in a > > separate log file dedicated to posts of a certain class, allowing the > > request to pass through untouched to its original destination? These are > > simple posts which are no larger than 1K. > > > > I've searched through the mod_security code and noticed some stuff but > > it seems too complicated for this simple task I want to code up. > > > > Thanks alot in advance, > > Kiffin > > > > -- > > Kiffin Gish > > > > ------------------------------------------------------------------------ > > > > ------------------------------------------------------------------------- > > This SF.net email is sponsored by: Microsoft > > Defy all challenges. Microsoft(R) Visual Studio 2008. > > http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ > > ------------------------------------------------------------------------ > > > > _______________________________________________ > > mod-security-users mailing list > > mod...@li... > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > > -- Kiffin Gish | Desktop & Services Development | TomTom | kif...@to... | +31 (0) 6 15529214 mobile | +31 (0) 20 850 0989 office This e-mail message contains information which is confidential and may be privileged. It is intended for use by the addressee only. If you are not the intended addressee, we request that you notify the sender immediately and delete or destroy this e-mail message and any attachment(s), without copying, saving, forwarding, disclosing or using its contents in any other way. TomTom N.V., TomTom International BV or any other company belonging to the TomTom group of companies will not be liable for damage relating to the communication by e-mail of data, documents or any other information. |
From: Russ L. <uss...@ya...> - 2008-01-30 16:13:47
|
Is there a way to limit post events in modsecurity to about 30 a second to remove the spamming of forums and such? Below is what I used to rate limit based on IP. But I am not sure how to rate limit based on the POST count. Can I get some help here? SecAction phase:1,nolog,pass,initcol:ip=%{REMOTE_ADDR}, \ setvar:request_count=+1,expirevar:request_count=86400 SecRule IP:REQUEST_COUNT "@ge 2000" \ "phase:1,pass,nolog,setvar:ip.blocked=1, \ expirevar:ip.blocked=86400 SecRule IP:BLOCKED "@eq 1" "phase:1,deny,log Thanks ____________________________________________________________________________________ Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ |
From: Ryan B. <Ryan.Barnett@Breach.com> - 2008-01-30 17:34:10
|
> -----Original Message----- > From: mod...@li... [mailto:mod- > sec...@li...] On Behalf Of Russ Lavoy > Sent: Wednesday, January 30, 2008 11:14 AM > To: mod...@li... > Subject: [mod-security-users] Rate Limit POST events >=20 > Is there a way to limit post events in modsecurity to > about 30 a second to remove the spamming of forums and > such? >=20 > Below is what I used to rate limit based on IP. But I > am not sure how to rate limit based on the POST count. > Can I get some help here? >=20 > SecAction > phase:1,nolog,pass,initcol:ip=3D%{REMOTE_ADDR}, \ > setvar:request_count=3D+1,expirevar:request_count=3D86400 > SecRule IP:REQUEST_COUNT "@ge 2000" \ > "phase:1,pass,nolog,setvar:ip.blocked=3D1, \ > expirevar:ip.blocked=3D86400 > SecRule IP:BLOCKED "@eq 1" "phase:1,deny,log" >=20 [Ryan Barnett] You can pretty much keep the same rule set format that you currently have, which creates the IP collection, and then just add a few rules to it. There is one update that it looks like you need to make - when you use setvar/expirevar and you want it to be placed inside the IP collection then it needs to be "setvar:ip.request_count=3D+1". = The way that it is currently, it would create a TX variable called TX:REQUEST_COUNT. =20 =20 This is not tested, but try this - =20 ############### SecAction phase:1,nolog,pass,initcol:ip=3D%{REMOTE_ADDR}, \=20 setvar:ip.request_count=3D+1,expirevar:ip.request_count=3D86400 =20 SecRule REQUEST_METHOD "^POST$" "phase:1,t:none,pass,nolog,setvar:ip.post_request_count=3D+1,expirevar:ip= . post_request_count=3D30" SecRule IP:POST_REQUEST_COUNT "@gt 1" "phase:1,t:none,pass,nolog,setvar:ip.blocked=3D1" =20 SecRule IP:REQUEST_COUNT "@ge 2000" \ "phase:1,pass,nolog,setvar:ip.blocked=3D1, \=20 expirevar:ip.blocked=3D86400 SecRule IP:BLOCKED "@eq 1" "phase:1,deny,log" ############### =20 The two rules in the middle should identify post requests and then set the appropriate IP collection variables to be evaluated and the same ip.blocked variable will be set if a user post more than 1 post within a 30 sec timeframe. =20 Let me know if this works. =20 -Ryan =20 |
From: Russ L. <uss...@ya...> - 2008-01-30 17:28:41
|
This rule denies me immediately when I hit my test site. It shows a few things, then starts reporting I have been blocked... This is on get requests.... Thoughts? Thanks --- Ryan Barnett <Ryan.Barnett@Breach.com> wrote: > > -----Original Message----- > > > From: > mod...@li... > [mailto:mod- > > > sec...@li...] On > Behalf Of Russ Lavoy > > > Sent: Wednesday, January 30, 2008 11:14 AM > > > To: mod...@li... > > > Subject: [mod-security-users] Rate Limit POST > events > > > > > > Is there a way to limit post events in modsecurity > to > > > about 30 a second to remove the spamming of forums > and > > > such? > > > > > > Below is what I used to rate limit based on IP. > But I > > > am not sure how to rate limit based on the POST > count. > > > Can I get some help here? > > > > > > SecAction > > > phase:1,nolog,pass,initcol:ip=%{REMOTE_ADDR}, \ > > > > setvar:request_count=+1,expirevar:request_count=86400 > > > SecRule IP:REQUEST_COUNT "@ge 2000" \ > > > "phase:1,pass,nolog,setvar:ip.blocked=1, \ > > > expirevar:ip.blocked=86400 > > > SecRule IP:BLOCKED "@eq 1" "phase:1,deny,log" > > > > > [Ryan Barnett] You can pretty much keep the same > rule set format that > you currently have, which creates the IP collection, > and then just add a > few rules to it. There is one update that it looks > like you need to > make - when you use setvar/expirevar and you want it > to be placed inside > the IP collection then it needs to be > "setvar:ip.request_count=+1". The > way that it is currently, it would create a TX > variable called > TX:REQUEST_COUNT. > > > > This is not tested, but try this - > > > > ############### > > SecAction > > phase:1,nolog,pass,initcol:ip=%{REMOTE_ADDR}, \ > > setvar:ip.request_count=+1,expirevar:ip.request_count=86400 > > > > SecRule REQUEST_METHOD "^POST$" > "phase:1,t:none,pass,nolog,setvar:ip.post_request_count=+1,expirevar:ip. > post_request_count=30" > > SecRule IP:POST_REQUEST_COUNT "@gt 1" > "phase:1,t:none,pass,nolog,setvar:ip.blocked=1" > > > > SecRule IP:REQUEST_COUNT "@ge 2000" \ > > "phase:1,pass,nolog,setvar:ip.blocked=1, \ > > expirevar:ip.blocked=86400 > > SecRule IP:BLOCKED "@eq 1" "phase:1,deny,log" > > ############### > > > > The two rules in the middle should identify post > requests and then set > the appropriate IP collection variables to be > evaluated and the same > ip.blocked variable will be set if a user post more > than 1 post within a > 30 sec timeframe. > > > > Let me know if this works. > > > > -Ryan > > > > ____________________________________________________________________________________ Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ |
From: Ryan B. <Ryan.Barnett@Breach.com> - 2008-01-30 17:58:09
Attachments:
debug.txt
|
> -----Original Message----- > From: Russ Lavoy [mailto:uss...@ya...] > Sent: Wednesday, January 30, 2008 12:29 PM > To: Ryan Barnett; mod...@li... > Subject: RE: [mod-security-users] Rate Limit POST events >=20 > This rule denies me immediately when I hit my test > site. It shows a few things, then starts reporting I > have been blocked... This is on get requests.... >=20 > Thoughts? >=20 [Ryan Barnett] Hmm... I tested here locally and it worked fine for me. Two things to check - make sure that you pasted the rules correctly into your config (sometimes they get messed up when you copy/paste from email. Also, what does your debug log say? =20 I am attaching my debug log where I only used the modsecurity_crs_10_config.conf file and my own modsecurity_crs_15_customrules.conf file (which contains the rules I sent you). In it, I sent 3 request, 1 GET, and then 2 POSTs one right after each other. In the debug log, you can see where the ip.post_request_count data is set, incremented, checked and then enforced appropriately. What version of ModSecurity are you using? I am using Mod 2.5.0-rc1. > Thanks > --- Ryan Barnett <Ryan.Barnett@Breach.com> wrote: >=20 > > > -----Original Message----- > > > > > From: > > mod...@li... > > [mailto:mod- > > > > > sec...@li...] On > > Behalf Of Russ Lavoy > > > > > Sent: Wednesday, January 30, 2008 11:14 AM > > > > > To: mod...@li... > > > > > Subject: [mod-security-users] Rate Limit POST > > events > > > > > > > > > > Is there a way to limit post events in modsecurity > > to > > > > > about 30 a second to remove the spamming of forums > > and > > > > > such? > > > > > > > > > > Below is what I used to rate limit based on IP. > > But I > > > > > am not sure how to rate limit based on the POST > > count. > > > > > Can I get some help here? > > > > > > > > > > SecAction > > > > > phase:1,nolog,pass,initcol:ip=3D%{REMOTE_ADDR}, \ > > > > > > > > setvar:request_count=3D+1,expirevar:request_count=3D86400 > > > > > SecRule IP:REQUEST_COUNT "@ge 2000" \ > > > > > "phase:1,pass,nolog,setvar:ip.blocked=3D1, \ > > > > > expirevar:ip.blocked=3D86400 > > > > > SecRule IP:BLOCKED "@eq 1" "phase:1,deny,log" > > > > > > > > > [Ryan Barnett] You can pretty much keep the same > > rule set format that > > you currently have, which creates the IP collection, > > and then just add a > > few rules to it. There is one update that it looks > > like you need to > > make - when you use setvar/expirevar and you want it > > to be placed inside > > the IP collection then it needs to be > > "setvar:ip.request_count=3D+1". The > > way that it is currently, it would create a TX > > variable called > > TX:REQUEST_COUNT. > > > > > > > > This is not tested, but try this - > > > > > > > > ############### > > > > SecAction > > > > phase:1,nolog,pass,initcol:ip=3D%{REMOTE_ADDR}, \ > > > > > setvar:ip.request_count=3D+1,expirevar:ip.request_count=3D86400 > > > > > > > > SecRule REQUEST_METHOD "^POST$" > > > "phase:1,t:none,pass,nolog,setvar:ip.post_request_count=3D+1,expirevar:ip= . > > post_request_count=3D30" > > > > SecRule IP:POST_REQUEST_COUNT "@gt 1" > > "phase:1,t:none,pass,nolog,setvar:ip.blocked=3D1" > > > > > > > > SecRule IP:REQUEST_COUNT "@ge 2000" \ > > > > "phase:1,pass,nolog,setvar:ip.blocked=3D1, \ > > > > expirevar:ip.blocked=3D86400 > > > > SecRule IP:BLOCKED "@eq 1" "phase:1,deny,log" > > > > ############### > > > > > > > > The two rules in the middle should identify post > > requests and then set > > the appropriate IP collection variables to be > > evaluated and the same > > ip.blocked variable will be set if a user post more > > than 1 post within a > > 30 sec timeframe. > > > > > > > > Let me know if this works. > > > > > > > > -Ryan > > > > > > > > >=20 >=20 >=20 >=20 > ________________________________________________________________________ __ > __________ > Be a better friend, newshound, and > know-it-all with Yahoo! Mobile. Try it now. > http://mobile.yahoo.com/;_ylt=3DAhu06i62sR8HDtDypao8Wcj9tAcJ |
From: Ryan B. <Ryan.Barnett@Breach.com> - 2008-01-30 18:22:22
|
One other point to bring up. There can be a benefit to separating out the setting/incrementing and then evaluation of the variables. In this case, you already had a rule that would evaluate the IP:BLOCKED variable and then block if it matched. The one issue here is that the expirevar time setting that was there was for 86400 sec (24 hrs) which may not be what you want to use for the POST restriction. You should probably set a new block variable just for the POST blocks and have it expire every 30 seconds as well. This way, after 30 seconds, a user would be allowed to POST again. This rule set works for me - ############### SecAction "phase:1,nolog,pass,initcol:ip=3D%{REMOTE_ADDR},setvar:ip.request_count=3D= +1 ,expirevar:ip.request_count=3D86400" SecRule REQUEST_METHOD "^POST$" "phase:1,t:none,pass,nolog,setvar:ip.post_request_count=3D+1,expirevar:ip= . post_request_count=3D30" SecRule IP:POST_REQUEST_COUNT "@gt 1" "phase:1,t:none,pass,nolog,setvar:ip.post_blocked=3D1,expirevar:ip.post_b= l ocked=3D30" SecRule IP:REQUEST_COUNT "@ge 2000" "phase:1,pass,nolog,setvar:ip.blocked=3D1,expirevar:ip.blocked=3D86400" SecRule IP:BLOCKED|IP:POST_BLOCKED "@eq 1" "phase:1,deny,log" ############### > -----Original Message----- > From: Ryan Barnett > Sent: Wednesday, January 30, 2008 12:56 PM > To: Russ Lavoy; mod...@li... > Subject: RE: [mod-security-users] Rate Limit POST events >=20 >=20 > > -----Original Message----- > > From: Russ Lavoy [mailto:uss...@ya...] > > Sent: Wednesday, January 30, 2008 12:29 PM > > To: Ryan Barnett; mod...@li... > > Subject: RE: [mod-security-users] Rate Limit POST events > > > > This rule denies me immediately when I hit my test > > site. It shows a few things, then starts reporting I > > have been blocked... This is on get requests.... > > > > Thoughts? > > > [Ryan Barnett] Hmm... I tested here locally and it worked fine for me. > Two things to check - make sure that you pasted the rules correctly into > your config (sometimes they get messed up when you copy/paste from email. > Also, what does your debug log say? >=20 > I am attaching my debug log where I only used the > modsecurity_crs_10_config.conf file and my own > modsecurity_crs_15_customrules.conf file (which contains the rules I sent > you). In it, I sent 3 request, 1 GET, and then 2 POSTs one right after > each other. In the debug log, you can see where the ip.post_request_count > data is set, incremented, checked and then enforced appropriately. >=20 > What version of ModSecurity are you using? I am using Mod 2.5.0-rc1. >=20 >=20 > > Thanks > > --- Ryan Barnett <Ryan.Barnett@Breach.com> wrote: > > > > > > -----Original Message----- > > > > > > > From: > > > mod...@li... > > > [mailto:mod- > > > > > > > sec...@li...] On > > > Behalf Of Russ Lavoy > > > > > > > Sent: Wednesday, January 30, 2008 11:14 AM > > > > > > > To: mod...@li... > > > > > > > Subject: [mod-security-users] Rate Limit POST > > > events > > > > > > > > > > > > > > Is there a way to limit post events in modsecurity > > > to > > > > > > > about 30 a second to remove the spamming of forums > > > and > > > > > > > such? > > > > > > > > > > > > > > Below is what I used to rate limit based on IP. > > > But I > > > > > > > am not sure how to rate limit based on the POST > > > count. > > > > > > > Can I get some help here? > > > > > > > > > > > > > > SecAction > > > > > > > phase:1,nolog,pass,initcol:ip=3D%{REMOTE_ADDR}, \ > > > > > > > > > > > > setvar:request_count=3D+1,expirevar:request_count=3D86400 > > > > > > > SecRule IP:REQUEST_COUNT "@ge 2000" \ > > > > > > > "phase:1,pass,nolog,setvar:ip.blocked=3D1, \ > > > > > > > expirevar:ip.blocked=3D86400 > > > > > > > SecRule IP:BLOCKED "@eq 1" "phase:1,deny,log" > > > > > > > > > > > > > [Ryan Barnett] You can pretty much keep the same > > > rule set format that > > > you currently have, which creates the IP collection, > > > and then just add a > > > few rules to it. There is one update that it looks > > > like you need to > > > make - when you use setvar/expirevar and you want it > > > to be placed inside > > > the IP collection then it needs to be > > > "setvar:ip.request_count=3D+1". The > > > way that it is currently, it would create a TX > > > variable called > > > TX:REQUEST_COUNT. > > > > > > > > > > > > This is not tested, but try this - > > > > > > > > > > > > ############### > > > > > > SecAction > > > > > > phase:1,nolog,pass,initcol:ip=3D%{REMOTE_ADDR}, \ > > > > > > > > setvar:ip.request_count=3D+1,expirevar:ip.request_count=3D86400 > > > > > > > > > > > > SecRule REQUEST_METHOD "^POST$" > > > > > "phase:1,t:none,pass,nolog,setvar:ip.post_request_count=3D+1,expirevar:ip= . > > > post_request_count=3D30" > > > > > > SecRule IP:POST_REQUEST_COUNT "@gt 1" > > > "phase:1,t:none,pass,nolog,setvar:ip.blocked=3D1" > > > > > > > > > > > > SecRule IP:REQUEST_COUNT "@ge 2000" \ > > > > > > "phase:1,pass,nolog,setvar:ip.blocked=3D1, \ > > > > > > expirevar:ip.blocked=3D86400 > > > > > > SecRule IP:BLOCKED "@eq 1" "phase:1,deny,log" > > > > > > ############### > > > > > > > > > > > > The two rules in the middle should identify post > > > requests and then set > > > the appropriate IP collection variables to be > > > evaluated and the same > > > ip.blocked variable will be set if a user post more > > > than 1 post within a > > > 30 sec timeframe. > > > > > > > > > > > > Let me know if this works. > > > > > > > > > > > > -Ryan > > > > > > > > > > > > > > > > > > > > > > > ________________________________________________________________________ __ > > __________ > > Be a better friend, newshound, and > > know-it-all with Yahoo! Mobile. Try it now. > > http://mobile.yahoo.com/;_ylt=3DAhu06i62sR8HDtDypao8Wcj9tAcJ |