Are your protected URLs that you define in the 10 file setvars full paths to the login page(s)? The check in the brute force file checks these variables against the REQUEST_FILENAME of the current transaction. You sanitized your example configs (/protected_url) so I am not sure if you defined a filename or a directory.
An audit log entry would help. On Mar 20, 2011, at 5:51 AM, Yonah Russ <[email protected]<mailto:[email protected]>> wrote: Hi, I'm using 2.5.13 with CRS 2.1.1 I've configured the following: SecAction "phase:1,t:none,nolog,pass, \ setvar:'tx.brute_force_protected_urls=/protected_url /protected_url2', \ setvar:'tx.brute_force_burst_time_slice=60', \ setvar:'tx.brute_force_counter_threshold=5', \ setvar:'tx.brute_force_block_timeout=300'" When I test, all the requests get through and not even a message in the logs :( Here is an excerpt from the debug log: ... [20/Mar/2011:09:15:56 +0000] [<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>www.site.com/sid#12b7778][rid#19211a0][/protected_url][9<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>] Setting variable: tx.brute_force_protected_urls=/protected_url /protected_url2 [20/Mar/2011:09:15:56 +0000] [<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>www.site.com/sid#12b7778][rid#19211a0][/protected_url][9<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>] Set variable "tx.brute_force_protected_urls" to "/protected_url /protected_url2". [20/Mar/2011:09:15:56 +0000] [<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>www.site.com/sid#12b7778][rid#19211a0][/protected_url][9<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>] Setting variable: tx.brute_force_burst_time_slice=60 [20/Mar/2011:09:15:56 +0000] [<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>www.site.com/sid#12b7778][rid#19211a0][/protected_url][9<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>] Set variable "tx.brute_force_burst_time_slice" to "60". [20/Mar/2011:09:15:56 +0000] [<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>www.site.com/sid#12b7778][rid#19211a0][/protected_url][9<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>] Setting variable: tx.brute_force_counter_threshold=5 [20/Mar/2011:09:15:56 +0000] [<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>www.site.com/sid#12b7778][rid#19211a0][/protected_url][9<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>] Set variable "tx.brute_force_counter_threshold" to "5". [20/Mar/2011:09:15:56 +0000] [<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>www.site.com/sid#12b7778][rid#19211a0][/protected_url][9<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>] Setting variable: tx.brute_force_block_timeout=300 [20/Mar/2011:09:15:56 +0000] [<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>www.site.com/sid#12b7778][rid#19211a0][/protected_url][9<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>] Set variable "tx.brute_force_block_timeout" to "300". ... [20/Mar/2011:09:15:56 +0000] [<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][4>www.site.com/sid#12b7778][rid#19211a0][/protected_url][4<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][4>] Creating collection (name "global", key "global"). [20/Mar/2011:09:15:56 +0000] [<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>www.site.com/sid#12b7778][rid#19211a0][/protected_url][9<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>] Recorded original collection variable: global.UPDATE_COUNTER = "0" [20/Mar/2011:09:15:56 +0000] [<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][4>www.site.com/sid#12b7778][rid#19211a0][/protected_url][4<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][4>] Added collection "global" to the list. [20/Mar/2011:09:15:56 +0000] [<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>www.site.com/sid#12b7778][rid#19211a0][/protected_url][9<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>] Resolved macro %{remote_addr} to: 192.168.1.1 [20/Mar/2011:09:15:56 +0000] [<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>www.site.com/sid#12b7778][rid#19211a0][/protected_url][9<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>] Resolved macro %{tx.ua_hash} to: 3dcbbff145dcf13aa6287b931eb296b39b7541ee [20/Mar/2011:09:15:56 +0000] [<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>www.site.com/sid#12b7778][rid#19211a0][/protected_url][9<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>] Read variable: name "__expire_KEY", value "1300615158". [20/Mar/2011:09:15:56 +0000] [<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>www.site.com/sid#12b7778][rid#19211a0][/protected_url][9<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>] Read variable: name "KEY", value "192.168.1.1_3dcbbff145dcf13aa6287b931eb296b39b7541ee". [20/Mar/2011:09:15:56 +0000] [<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>www.site.com/sid#12b7778][rid#19211a0][/protected_url][9<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>] Read variable: name "TIMEOUT", value "3600". [20/Mar/2011:09:15:56 +0000] [<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>www.site.com/sid#12b7778][rid#19211a0][/protected_url][9<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>] Read variable: name "__key", value "192.168.1.1_3dcbbff145dcf13aa6287b931eb296b39b7541ee". [20/Mar/2011:09:15:56 +0000] [<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>www.site.com/sid#12b7778][rid#19211a0][/protected_url][9<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>] Read variable: name "__name", value "ip". [20/Mar/2011:09:15:56 +0000] [<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>www.site.com/sid#12b7778][rid#19211a0][/protected_url][9<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>] Read variable: name "CREATE_TIME", value "1300607334". [20/Mar/2011:09:15:56 +0000] [<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>www.site.com/sid#12b7778][rid#19211a0][/protected_url][9<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>] Read variable: name "UPDATE_COUNTER", value "75". [20/Mar/2011:09:15:56 +0000] [<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>www.site.com/sid#12b7778][rid#19211a0][/protected_url][9<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>] Read variable: name "dos_counter", value "75". [20/Mar/2011:09:15:56 +0000] [<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>www.site.com/sid#12b7778][rid#19211a0][/protected_url][9<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>] Read variable: name "LAST_UPDATE_TIME", value "1300611558". [20/Mar/2011:09:15:56 +0000] [<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][4>www.site.com/sid#12b7778][rid#19211a0][/protected_url][4<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][4>] Retrieved collection (name "ip", key "192.168.1.1_3dcbbff145dcf13aa6287b931eb296b39b7541ee"). [20/Mar/2011:09:15:56 +0000] [<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>www.site.com/sid#12b7778][rid#19211a0][/protected_url][9<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>] Recorded original collection variable: ip.UPDATE_COUNTER = "75" [20/Mar/2011:09:15:56 +0000] [<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][4>www.site.com/sid#12b7778][rid#19211a0][/protected_url][4<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][4>] Added collection "ip" to the list. ... [20/Mar/2011:09:15:56 +0000] [<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][5>www.site.com/sid#12b7778][rid#19211a0][/protected_url][5<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][5>] Rule 240d78: SecRule "IP:BRUTE_FORCE_BLOCK" "@eq 1" "phase:1,log,noauditlog,chain,block,msg:'Brute Force Attack Identified from %{remote_addr} (%{tx.brute_force_block_counter} hits since last alert)',setvar:ip.brute_force_block_counter=+1" [20/Mar/2011:09:15:56 +0000] [<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][4>www.site.com/sid#12b7778][rid#19211a0][/protected_url][4<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][4>] Rule returned 0. [20/Mar/2011:09:15:56 +0000] [<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>www.site.com/sid#12b7778][rid#19211a0][/protected_url][9<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>] No match, chained -> mode NEXT_CHAIN. [20/Mar/2011:09:15:56 +0000] [<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][4>www.site.com/sid#12b7778][rid#19211a0][/protected_url][4<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][4>] Recipe: Invoking rule 244cd8; [file "/opt/www/conf/modsecurity_crs/base_rules/modsecurity_crs_11_brute_force.conf"] [line "27"]. [20/Mar/2011:09:15:56 +0000] [<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][5>www.site.com/sid#12b7778][rid#19211a0][/protected_url][5<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][5>] Rule 244cd8: SecRule "IP:BRUTE_FORCE_BLOCK" "@eq 1" "phase:1,noauditlog,block,nolog,setvar:ip.brute_force_block_counter=+1" [20/Mar/2011:09:15:56 +0000] [<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][4>www.site.com/sid#12b7778][rid#19211a0][/protected_url][4<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][4>] Rule returned 0. [20/Mar/2011:09:15:56 +0000] [<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>www.site.com/sid#12b7778][rid#19211a0][/protected_url][9<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>] No match, not chained -> mode NEXT_RULE. [20/Mar/2011:09:15:56 +0000] [<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][4>www.site.com/sid#12b7778][rid#19211a0][/protected_url][4<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][4>] Recipe: Invoking rule 250338; [file "/opt/www/conf/modsecurity_crs/base_rules/modsecurity_crs_11_dos_protection.conf"] [line "11"]. [20/Mar/2011:09:15:56 +0000] [<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][5>www.site.com/sid#12b7778][rid#19211a0][/protected_url][5<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][5>] Rule 250338: SecRule "IP:DOS_BLOCK" "@eq 1" "phase:1,log,noauditlog,chain,drop,msg:'Denial of Service (DoS) Attack Identified from %{remote_addr} (%{tx.dos_block_counter} hits since last alert)',setvar:ip.dos_block_counter=+1" [20/Mar/2011:09:15:56 +0000] [<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][4>www.site.com/sid#12b7778][rid#19211a0][/protected_url][4<http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][4>] Rule returned 0. >From what I can see, the request never hits the section of rules which should >start counting the requests to the protected url. Instead, it skips to the >next ruleset? Thanks in advance, Yonah _______________________________________________ Owasp-modsecurity-core-rule-set mailing list [email protected]<mailto:[email protected]> https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set ________________________________ This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. _______________________________________________ Owasp-modsecurity-core-rule-set mailing list [email protected] https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
