My test team is reporting unfortunate results with the brute force rules. CentOS release 5.7 (Final)
Server version: Apache/2.2.21 (Unix) Server built: Sep 22 2011 17:34:16 ModSecurity 2.5.9 SecComponentSignature "core ruleset/2.2.2" The symptom that we are seeing is that 981042 doesn't seem to be picking up the value of tx.brute_force_counter_threshold. If I enable logging on that rule, the entry in the mod security log reads Message: Warning. Operator GT matched 0 at IP:brute_force_counter. [file "/etc/httpd/conf.d/modsecurity_crs/experimental_rules/modsecurity_crs_11_bru te_f orce.conf"] [line "53"] [id "981042"] Our configuration of rule 981214 is almost right out of the box SecAction "phase:1,id:'981214',t:none,nolog,pass, \ setvar:'tx.brute_force_protected_urls=/protectThisUrl', \ setvar:'tx.brute_force_burst_time_slice=60', \ setvar:'tx.brute_force_counter_threshold=10', \ setvar:'tx.brute_force_block_timeout=60'" My development sandbox behaves as I would expect: Message: Warning. Operator GT matched 10 at IP:brute_force_counter. [file "C:/Program Files (x86)/Apache Software Foundation/Apache2.2/conf/modsecurity_crs/experimental_rules/modsecurity_crs _11_ brute_force.conf"] [line "53"] [id "981042"] However, the development sandbox is running windows, and is using the binaries I downloaded for ModSecurity 2.6.2 Have I simply loaded the experimental rules into a version of modsecurity that doesn't support them, or is something more sinister going on? I'm running out of ideas on how to trouble shoot this. Thanks, Danil -------------------------------------------------------------------- mail2web - Check your email from the web at http://link.mail2web.com/mail2web _______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
