No, I think it's a logical error. !ip.dos_counter is called only after dos_counter reached the threshold. Now, think about the following scenario:
1. I've sent a couple of requests 2. Waited for more than dos_burst_time_slice seconds hoping that it will clear the dos_counter 3. Send some requests again. All of them will be added to the dos_counter becuase it didn't expire. All that means that you can keep adding to dos_counter for a very long period of time, which is much longer than dos_burst_time_slice and it defeats the purpose of dos_burst_time_slice parameter in my view. ----- Original Message ---- > From: Ryan Barnett <[email protected]> > To: "[email protected]" <[email protected]>; >"[email protected]" ><[email protected]> > Sent: Fri, June 17, 2011 5:15:57 AM > Subject: Re: [Mod-security-developers] CRS DoS bugs/suggestions > > Oleg, > First of all, thank you for taking the time to test these rules further. > The >rule quality will only improve if the community takes the time to test them >and >report back the status. > > To your comments about the lack of "expirevar" actions, this should not be >needed for the ip.dos_counter var as the last rule uses the >"setvar:!ip.dos_counter" action to actually remove that variable if the >operator matches. Can you please check your debug log during testing to >verify >if that action is not removing that variable? Perhaps there is a bug in >removing the variable with the "!" symbol and using expirevar is more >reliable. > > Also – what version of ModSecurity are you using? > > -Ryan > > From: Oleg Gryb <[email protected]<mailto:[email protected]>> > Reply-To: "[email protected]<mailto:[email protected]>" ><[email protected]<mailto:[email protected]>>, >"[email protected]<mailto:[email protected]>" > ><[email protected]<mailto:[email protected]>> > > Date: Thu, 16 Jun 2011 11:32:11 -0500 > To: >"[email protected]<mailto:[email protected]>" > ><[email protected]<mailto:[email protected]>> > > Subject: [Mod-security-developers] CRS DoS bugs/suggestions > > > I was testing DoS ruleset lately and found that there probably was a bug >related to ip.dos_counter variable. The expiration time was not set for this >var, as a result the counter persists longer than tx.dos_burst_time_slice. As >a >result, the history of hits is counted for a longer time period. > > I've added expiration time in two places and it started to work correctly >after that. The changes are below: > > SecRule REQUEST_BASENAME "!\.(jpe?g|png|gif|js|css|ico)$" >"phase:5,t:none,nolog,pass,setvar:ip.dos_counter=+1,expirevar:ip.dos_counter=%{tx.dos_burst_time_slice}" > > > ... > > SecRule IP:DOS_COUNTER "@ge %{tx.dos_counter_threshold}" >"phase:5,t:none,nolog,pass,t:none,setvar:ip.dos_burst_counter=+1,expirevar:ip.dos_burst_counter=%{tx.dos_burst_time_slice},setvar:!ip.dos_counter,expirevar:ip.dos_counter=%{tx.dos_burst_time_slice}" > > > I've also attached the sample of testing program. I think, we should have >something like that to test all limits. There are only two tests implemented >for now: for request size and DoS, but it should be easy to add more. > > > > ________________________________ > This transmission may contain information that is privileged, confidential, >and/or exempt from disclosure under applicable law. If you are not the >intended >recipient, you are hereby notified that any disclosure, copying, >distribution, >or use of the information contained herein (including any reliance thereon) >is >STRICTLY PROHIBITED. If you received this transmission in error, please >immediately contact the sender and destroy the material in its entirety, >whether in electronic or hard copy format. > > _______________________________________________ Owasp-modsecurity-core-rule-set mailing list [email protected] https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
