Re: [Owasp-modsecurity-core-rule-set] Brute force against single client

Wed, 12 Jan 2011 04:19:19 -0800 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Luca,

I've done some previous stuff on request-limitting a client, eg by IP adress.
The same concept can be modified to use an arbitrary client identifier, e.g.
by its session id.

You may want to have a look at 

        https://secure.jwall.org/blog/2009/07/19/1248004300834.html

Recently I had a conversation about this issue with another guy on the list.
Based on that I started implementing a test-suite to evaluate a rule-set for
this case.
If you're interested in trying that out, then drop me a line.

Best regards,
     Chris


Am 12.01.2011 um 11:42 schrieb Superpizza:

> Hi everyone.
> I was wondering about setting up a brute force protection against a single
> client (browser).
> It happens I manage a busy site, and a I've got a bunch of customers
> coming to me through large proxies.
> This means I can't simply ban an IP
> (as dictated by current brute force rule in 2.1.1),
> but I'd like to stop a single client
> (likely a script mimicking a real browser).
> 
> I thought about setting up a global collection
> populated by hashing a cookie (different value for each customer).
> Something like:
> 
> SecRule REQUEST_COOKIES_NAMES:JSESSIONID "^(.*)$"
> "phase:1,t:none,pass,nolog,t:sha1,t:hexEncode,setvar: `
> tx.cookie_hash=%{matched_var}"
> 
> SecAction
> "phase:1,t:none,pass,nolog,initcol:global=global,initcol: \
> ip=%{tx.cookie_hash}"
> 
> I could then try to modify the rules present in
> modsecurity_crs_11_brute_force.conf to evaluate that variable.
> Any suggestion?
> 
> Regards, Luca
> _______________________________________________
> Owasp-modsecurity-core-rule-set mailing list
> [email protected]
> https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)

iD8DBQFNLZnhpc5/RcXDlTwRAj+qAJ4qQXcIvQamR18iZDWNSM0H2wYenQCcCMJU
yMt9tKaIzNdpKaaF17djIBA=
=wlDi
-----END PGP SIGNATURE-----
_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
[email protected]
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set

Reply via email to