[Owasp-modsecurity-core-rule-set] ip collection does not exist

[Yonah Russ]

Hi,

I'm running Mod_Security 2.5.13 with CRS 2.1.1
I have copied the following rules into the base_rules directory:
modsecurity_crs_11_dos_protection.conf
modsecurity_crs_11_slow_dos_protection.conf

I've uncommented the following section in  modsecurity_crs_10_config.conf
SecAction "phase:1,t:none,nolog,pass, \
setvar:'tx.dos_burst_time_slice=60', \
setvar:'tx.dos_counter_threshold=100', \
setvar:'tx.dos_block_timeout=600'"

In the debug log I get the error: Could not set variable "ip.dos_counter" as
the collection does not exist.

Here is the level 9 debug up to that point (some details obfuscated)

[26/Jan/2011:08:18:13 +0000] [
192.168.1.1/sid#9caf8][rid#1630cf0][/index.php][4<http://192.168.1.1/sid#9caf8][rid%231630cf0%5D%5B/index.php%5D%5B4>]
Initialising transaction (txid TT-YxKwVByQAAC6ZJSEAAAAC).
[26/Jan/2011:08:18:13 +0000] [
192.168.1.1/sid#9caf8][rid#1630cf0][/index.php][4<http://192.168.1.1/sid#9caf8][rid%231630cf0%5D%5B/index.php%5D%5B4>]
Transaction context created (dcfg de7f0).
[26/Jan/2011:08:18:13 +0000] [
192.168.1.1/sid#9caf8][rid#1630cf0][/index.php][4<http://192.168.1.1/sid#9caf8][rid%231630cf0%5D%5B/index.php%5D%5B4>]
Processing disabled, skipping (hook request_early).
[26/Jan/2011:08:18:13 +0000] [
192.168.1.1/sid#9caf8][rid#1630cf0][/index.php][4<http://192.168.1.1/sid#9caf8][rid%231630cf0%5D%5B/index.php%5D%5B4>]
PdfProtect: Not enabled here.
[26/Jan/2011:08:18:13 +0000] [
192.168.1.1/sid#9caf8][rid#1630cf0][/index.php][4<http://192.168.1.1/sid#9caf8][rid%231630cf0%5D%5B/index.php%5D%5B4>]
Processing disabled, skipping (hook request_late).
[26/Jan/2011:08:18:13 +0000] [
192.168.1.1/sid#9caf8][rid#1630cf0][/index.php][4<http://192.168.1.1/sid#9caf8][rid%231630cf0%5D%5B/index.php%5D%5B4>]
Hook insert_filter: Adding PDF XSS protection output filter (r 1630cf0).
[26/Jan/2011:08:18:13 +0000] [
192.168.1.1/sid#9caf8][rid#1630cf0][/index.php][4<http://192.168.1.1/sid#9caf8][rid%231630cf0%5D%5B/index.php%5D%5B4>]
Hook insert_filter: Processing disabled, skipping.
[26/Jan/2011:08:18:13 +0000] [
192.168.1.1/sid#9caf8][rid#1630cf0][/index.php][4<http://192.168.1.1/sid#9caf8][rid%231630cf0%5D%5B/index.php%5D%5B4>]
Initialising logging.
[26/Jan/2011:08:18:13 +0000] [
192.168.1.1/sid#9caf8][rid#1630cf0][/index.php][4<http://192.168.1.1/sid#9caf8][rid%231630cf0%5D%5B/index.php%5D%5B4>]
Starting phase LOGGING.
[26/Jan/2011:08:18:13 +0000] [
192.168.1.1/sid#9caf8][rid#1630cf0][/index.php][9<http://192.168.1.1/sid#9caf8][rid%231630cf0%5D%5B/index.php%5D%5B9>]
This phase consists of 40 rule(s).
[26/Jan/2011:08:18:13 +0000] [
192.168.1.1/sid#9caf8][rid#1630cf0][/index.php][4<http://192.168.1.1/sid#9caf8][rid%231630cf0%5D%5B/index.php%5D%5B4>]
Recipe: Invoking rule 256478; [file
"/var/www/conf/modsecurity_crs/base_rules/modsecurity_crs_11_dos_protection.conf"]
[line "24"].
[26/Jan/2011:08:18:13 +0000] [
192.168.1.1/sid#9caf8][rid#1630cf0][/index.php][5<http://192.168.1.1/sid#9caf8][rid%231630cf0%5D%5B/index.php%5D%5B5>]
Rule 256478: SecRule "IP:DOS_BLOCK" "@eq 1"
"phase:5,noauditlog,t:none,nolog,skipAfter:END_DOS_PROTECTION_CHECKS"
[26/Jan/2011:08:18:13 +0000] [
192.168.1.1/sid#9caf8][rid#1630cf0][/index.php][4<http://192.168.1.1/sid#9caf8][rid%231630cf0%5D%5B/index.php%5D%5B4>]
Rule returned 0.
[26/Jan/2011:08:18:13 +0000] [
192.168.1.1/sid#9caf8][rid#1630cf0][/index.php][9<http://192.168.1.1/sid#9caf8][rid%231630cf0%5D%5B/index.php%5D%5B9>]
No match, not chained -> mode NEXT_RULE.
[26/Jan/2011:08:18:13 +0000] [
192.168.1.1/sid#9caf8][rid#1630cf0][/index.php][4<http://192.168.1.1/sid#9caf8][rid%231630cf0%5D%5B/index.php%5D%5B4>]
Recipe: Invoking rule 256c28; [file
"/var/www/conf/modsecurity_crs/base_rules/modsecurity_crs_11_dos_protection.conf"]
[line "30"].
[26/Jan/2011:08:18:13 +0000] [
192.168.1.1/sid#9caf8][rid#1630cf0][/index.php][5<http://192.168.1.1/sid#9caf8][rid%231630cf0%5D%5B/index.php%5D%5B5>]
Rule 256c28: SecRule "REQUEST_BASENAME" "!@rx
\\.(jpe?g|png|gif|js|css|ico)$"
"phase:5,noauditlog,t:none,nolog,pass,setvar:ip.dos_counter=+1"
[26/Jan/2011:08:18:13 +0000] [
192.168.1.1/sid#9caf8][rid#1630cf0][/index.php][4<http://192.168.1.1/sid#9caf8][rid%231630cf0%5D%5B/index.php%5D%5B4>]
Transformation completed in 7 usec.
[26/Jan/2011:08:18:13 +0000] [
192.168.1.1/sid#9caf8][rid#1630cf0][/index.php][4<http://192.168.1.1/sid#9caf8][rid%231630cf0%5D%5B/index.php%5D%5B4>]
Executing operator "!rx" with param "\\.(jpe?g|png|gif|js|css|ico)$" against
REQUEST_BASENAME.
[26/Jan/2011:08:18:13 +0000] [
192.168.1.1/sid#9caf8][rid#1630cf0][/index.php][9<http://192.168.1.1/sid#9caf8][rid%231630cf0%5D%5B/index.php%5D%5B9>]
Target value: "index.php"
[26/Jan/2011:08:18:13 +0000] [
192.168.1.1/sid#9caf8][rid#1630cf0][/index.php][6<http://192.168.1.1/sid#9caf8][rid%231630cf0%5D%5B/index.php%5D%5B6>]
Ignoring regex captures since "capture" action is not enabled.
[26/Jan/2011:08:18:13 +0000] [
192.168.1.1/sid#9caf8][rid#1630cf0][/index.php][4<http://192.168.1.1/sid#9caf8][rid%231630cf0%5D%5B/index.php%5D%5B4>]
Operator completed in 189 usec.
[26/Jan/2011:08:18:13 +0000] [
192.168.1.1/sid#9caf8][rid#1630cf0][/index.php][9<http://192.168.1.1/sid#9caf8][rid%231630cf0%5D%5B/index.php%5D%5B9>]
Setting variable: ip.dos_counter=+1
[26/Jan/2011:08:18:13 +0000] [
192.168.1.1/sid#9caf8][rid#1630cf0][/index.php][3<http://192.168.1.1/sid#9caf8][rid%231630cf0%5D%5B/index.php%5D%5B3>]
Could not set variable "ip.dos_counter" as the collection does not exist.

Any ideas?
Thanks,
Yonah

_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
Owasp-modsecurity-core-rule-set@lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set