Hi Ryan, thanks for your prompt reply....
"Those rules are tracking and inspecting data in the IP persistent
collection data. Do you have the IP collection initiation rules activated
at the end of the modsecurity_crs_10_config.conf file?"
We haven't changed those rules from what was provided in
modsecurity_crs_10_config.conf.example, which means those rules are
activated.
They match the rules you pasted in precisely.
Additionally, I've learned that if I replace the variable in 981042 with a
constant, the rule fires as I would exect.
SecRule IP:BRUTE_FORCE_COUNTER "@gt 10"
"phase:5,id:'981042',t:none,log,pass,t:none,setvar:ip.brute_force_burst_coun
ter=
+1,expirevar:ip.brute_force_burst_counter=%
{tx.brute_force_burst_time_slice},setvar:!ip.brute_force_counter"
Is there a way to confirm that 981214 is actually setting the variables
correctly?
Thanks,
Danil
--------------------------------------------------------------------
myhosting.com - Premium Microsoft® Windows® and Linux web and application
hosting - http://link.myhosting.com/myhosting
_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
Owasp-modsecurity-core-rule-set@lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
