[Owasp-modsecurity-core-rule-set] CRS 2.1.1 Brute Force rules not blocking requests

Yonah Russ Sun, 20 Mar 2011 02:51:47 -0700

Hi,

I'm using 2.5.13 with CRS 2.1.1
I've configured the following:


SecAction "phase:1,t:none,nolog,pass, \
setvar:'tx.brute_force_protected_urls=/protected_url /protected_url2', \
setvar:'tx.brute_force_burst_time_slice=60', \
setvar:'tx.brute_force_counter_threshold=5', \
setvar:'tx.brute_force_block_timeout=300'"

When I test, all the requests get through and not even a message in the logs
:(
Here is an excerpt from the debug log:
...
[20/Mar/2011:09:15:56 +0000] [
www.site.com/sid#12b7778][rid#19211a0][/protected_url][9] Setting variable:
tx.brute_force_protected_urls=/protected_url /protected_url2
[20/Mar/2011:09:15:56 +0000] [
www.site.com/sid#12b7778][rid#19211a0][/protected_url][9] Set variable
"tx.brute_force_protected_urls" to "/protected_url /protected_url2".
[20/Mar/2011:09:15:56 +0000] [
www.site.com/sid#12b7778][rid#19211a0][/protected_url][9] Setting variable:
tx.brute_force_burst_time_slice=60
[20/Mar/2011:09:15:56 +0000] [
www.site.com/sid#12b7778][rid#19211a0][/protected_url][9] Set variable
"tx.brute_force_burst_time_slice" to "60".
[20/Mar/2011:09:15:56 +0000] [
www.site.com/sid#12b7778][rid#19211a0][/protected_url][9] Setting variable:
tx.brute_force_counter_threshold=5
[20/Mar/2011:09:15:56 +0000] [
www.site.com/sid#12b7778][rid#19211a0][/protected_url][9] Set variable
"tx.brute_force_counter_threshold" to "5".
[20/Mar/2011:09:15:56 +0000] [
www.site.com/sid#12b7778][rid#19211a0][/protected_url][9] Setting variable:
tx.brute_force_block_timeout=300
[20/Mar/2011:09:15:56 +0000] [
www.site.com/sid#12b7778][rid#19211a0][/protected_url][9] Set variable
"tx.brute_force_block_timeout" to "300".
...
[20/Mar/2011:09:15:56 +0000] [
www.site.com/sid#12b7778][rid#19211a0][/protected_url][4] Creating
collection (name "global", key "global").
[20/Mar/2011:09:15:56 +0000] [
www.site.com/sid#12b7778][rid#19211a0][/protected_url][9] Recorded original
collection variable: global.UPDATE_COUNTER = "0"
[20/Mar/2011:09:15:56 +0000] [
www.site.com/sid#12b7778][rid#19211a0][/protected_url][4] Added collection
"global" to the list.
[20/Mar/2011:09:15:56 +0000] [
www.site.com/sid#12b7778][rid#19211a0][/protected_url][9] Resolved macro
%{remote_addr} to: 192.168.1.1
[20/Mar/2011:09:15:56 +0000] [
www.site.com/sid#12b7778][rid#19211a0][/protected_url][9] Resolved macro
%{tx.ua_hash} to: 3dcbbff145dcf13aa6287b931eb296b39b7541ee
[20/Mar/2011:09:15:56 +0000] [
www.site.com/sid#12b7778][rid#19211a0][/protected_url][9] Read variable:
name "__expire_KEY", value "1300615158".
[20/Mar/2011:09:15:56 +0000] [
www.site.com/sid#12b7778][rid#19211a0][/protected_url][9] Read variable:
name "KEY", value "192.168.1.1_3dcbbff145dcf13aa6287b931eb296b39b7541ee".
[20/Mar/2011:09:15:56 +0000] [
www.site.com/sid#12b7778][rid#19211a0][/protected_url][9] Read variable:
name "TIMEOUT", value "3600".
[20/Mar/2011:09:15:56 +0000] [
www.site.com/sid#12b7778][rid#19211a0][/protected_url][9] Read variable:
name "__key", value "192.168.1.1_3dcbbff145dcf13aa6287b931eb296b39b7541ee".
[20/Mar/2011:09:15:56 +0000] [
www.site.com/sid#12b7778][rid#19211a0][/protected_url][9] Read variable:
name "__name", value "ip".
[20/Mar/2011:09:15:56 +0000] [
www.site.com/sid#12b7778][rid#19211a0][/protected_url][9] Read variable:
name "CREATE_TIME", value "1300607334".
[20/Mar/2011:09:15:56 +0000] [
www.site.com/sid#12b7778][rid#19211a0][/protected_url][9] Read variable:
name "UPDATE_COUNTER", value "75".
[20/Mar/2011:09:15:56 +0000] [
www.site.com/sid#12b7778][rid#19211a0][/protected_url][9] Read variable:
name "dos_counter", value "75".
[20/Mar/2011:09:15:56 +0000] [
www.site.com/sid#12b7778][rid#19211a0][/protected_url][9] Read variable:
name "LAST_UPDATE_TIME", value "1300611558".
[20/Mar/2011:09:15:56 +0000] [
www.site.com/sid#12b7778][rid#19211a0][/protected_url][4] Retrieved
collection (name "ip", key
"192.168.1.1_3dcbbff145dcf13aa6287b931eb296b39b7541ee").
[20/Mar/2011:09:15:56 +0000] [
www.site.com/sid#12b7778][rid#19211a0][/protected_url][9] Recorded original
collection variable: ip.UPDATE_COUNTER = "75"
[20/Mar/2011:09:15:56 +0000] [
www.site.com/sid#12b7778][rid#19211a0][/protected_url][4] Added collection
"ip" to the list.
...
[20/Mar/2011:09:15:56 +0000] [
www.site.com/sid#12b7778][rid#19211a0][/protected_url][5] Rule 240d78:
SecRule "IP:BRUTE_FORCE_BLOCK" "@eq 1"
"phase:1,log,noauditlog,chain,block,msg:'Brute Force Attack Identified from
%{remote_addr} (%{tx.brute_force_block_counter} hits since last
alert)',setvar:ip.brute_force_block_counter=+1"
[20/Mar/2011:09:15:56 +0000] [
www.site.com/sid#12b7778][rid#19211a0][/protected_url][4] Rule returned 0.
[20/Mar/2011:09:15:56 +0000] [
www.site.com/sid#12b7778][rid#19211a0][/protected_url][9] No match, chained
-> mode NEXT_CHAIN.
[20/Mar/2011:09:15:56 +0000] [
www.site.com/sid#12b7778][rid#19211a0][/protected_url][4] Recipe: Invoking
rule 244cd8; [file
"/opt/www/conf/modsecurity_crs/base_rules/modsecurity_crs_11_brute_force.conf"]
[line "27"].
[20/Mar/2011:09:15:56 +0000] [
www.site.com/sid#12b7778][rid#19211a0][/protected_url][5] Rule 244cd8:
SecRule "IP:BRUTE_FORCE_BLOCK" "@eq 1"
"phase:1,noauditlog,block,nolog,setvar:ip.brute_force_block_counter=+1"
[20/Mar/2011:09:15:56 +0000] [
www.site.com/sid#12b7778][rid#19211a0][/protected_url][4] Rule returned 0.
[20/Mar/2011:09:15:56 +0000] [
www.site.com/sid#12b7778][rid#19211a0][/protected_url][9] No match, not
chained -> mode NEXT_RULE.
[20/Mar/2011:09:15:56 +0000] [
www.site.com/sid#12b7778][rid#19211a0][/protected_url][4] Recipe: Invoking
rule 250338; [file
"/opt/www/conf/modsecurity_crs/base_rules/modsecurity_crs_11_dos_protection.conf"]
[line "11"].
[20/Mar/2011:09:15:56 +0000] [
www.site.com/sid#12b7778][rid#19211a0][/protected_url][5] Rule 250338:
SecRule "IP:DOS_BLOCK" "@eq 1"
"phase:1,log,noauditlog,chain,drop,msg:'Denial of Service (DoS) Attack
Identified from %{remote_addr} (%{tx.dos_block_counter} hits since last
alert)',setvar:ip.dos_block_counter=+1"
[20/Mar/2011:09:15:56 +0000] [
www.site.com/sid#12b7778][rid#19211a0][/protected_url][4] Rule returned 0.

>From what I can see, the request never hits the section of rules which
should start counting the requests to the protected url. Instead, it skips
to the next ruleset?
Thanks in advance,
Yonah

_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
[email protected]
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set

[Owasp-modsecurity-core-rule-set] CRS 2.1.1 Brute Force rules not blocking requests

Reply via email to