I am forwarding this to the OWASP ModSecurity CRS list as this pertains to the DoS rules.
Oleg - please send future issues related to the OWASP CRS to this mail-list instead of the ModSec Dev list. Thanks. -Ryan On 6/17/11 8:15 AM, "Ryan Barnett" <[email protected]> wrote: >Oleg, >First of all, thank you for taking the time to test these rules further. >The rule quality will only improve if the community takes the time to >test them and report back the status. > >To your comments about the lack of "expirevar" actions, this should not >be needed for the ip.dos_counter var as the last rule uses the >"setvar:!ip.dos_counter" action to actually remove that variable if the >operator matches. Can you please check your debug log during testing to >verify if that action is not removing that variable? Perhaps there is a >bug in removing the variable with the "!" symbol and using expirevar is >more reliable. > >Also what version of ModSecurity are you using? > >-Ryan > >From: Oleg Gryb <[email protected]<mailto:[email protected]>> >Reply-To: "[email protected]<mailto:[email protected]>" ><[email protected]<mailto:[email protected]>>, >"[email protected]<mailto:mod-security-develop >[email protected]>" ><[email protected]<mailto:mod-security-develop >[email protected]>> >Date: Thu, 16 Jun 2011 11:32:11 -0500 >To: >"[email protected]<mailto:mod-security-develop >[email protected]>" ><[email protected]<mailto:mod-security-develop >[email protected]>> >Subject: [Mod-security-developers] CRS DoS bugs/suggestions > > >I was testing DoS ruleset lately and found that there probably was a bug >related to ip.dos_counter variable. The expiration time was not set for >this var, as a result the counter persists longer than >tx.dos_burst_time_slice. As a result, the history of hits is counted for >a longer time period. > >I've added expiration time in two places and it started to work correctly >after that. The changes are below: > >SecRule REQUEST_BASENAME "!\.(jpe?g|png|gif|js|css|ico)$" >"phase:5,t:none,nolog,pass,setvar:ip.dos_counter=+1,expirevar:ip.dos_count >er=%{tx.dos_burst_time_slice}" > >... > >SecRule IP:DOS_COUNTER "@ge %{tx.dos_counter_threshold}" >"phase:5,t:none,nolog,pass,t:none,setvar:ip.dos_burst_counter=+1,expirevar >:ip.dos_burst_counter=%{tx.dos_burst_time_slice},setvar:!ip.dos_counter,ex >pirevar:ip.dos_counter=%{tx.dos_burst_time_slice}" > >I've also attached the sample of testing program. I think, we should have >something like that to test all limits. There are only two tests >implemented for now: for request size and DoS, but it should be easy to >add more. > > > >________________________________ >This transmission may contain information that is privileged, >confidential, and/or exempt from disclosure under applicable law. If you >are not the intended recipient, you are hereby notified that any >disclosure, copying, distribution, or use of the information contained >herein (including any reliance thereon) is STRICTLY PROHIBITED. If you >received this transmission in error, please immediately contact the >sender and destroy the material in its entirety, whether in electronic or >hard copy format. > > >-------------------------------------------------------------------------- >---- >EditLive Enterprise is the world's most technically advanced content >authoring tool. Experience the power of Track Changes, Inline Image >Editing and ensure content is compliant with Accessibility Checking. >http://p.sf.net/sfu/ephox-dev2dev >_______________________________________________ >mod-security-developers mailing list >[email protected] >https://lists.sourceforge.net/lists/listinfo/mod-security-developers >ModSecurity Services from Trustwave's SpiderLabs: >https://www.trustwave.com/spiderLabs.php > This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. _______________________________________________ Owasp-modsecurity-core-rule-set mailing list [email protected] https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
