[Owasp-modsecurity-core-rule-set] brute force rule

Ben WIlliams Wed, 14 Mar 2012 20:53:05 -0700

Hi,
My brute force rules are set to match on /ucp.php but they also match
on requests to /


ie

SecAction "phase:1,id:'981214',t:none,nolog,pass, \
setvar:'tx.brute_force_protected_urls=/ucp.php', \
setvar:'tx.brute_force_burst_time_slice=90', \
setvar:'tx.brute_force_counter_threshold=7', \
setvar:'tx.brute_force_block_timeout=300'"

SecRule &TX:BRUTE_FORCE_PROTECTED_URLS "@eq 0"
"phase:5,id:'981038',t:none,nolog,pass,skipAfter:END_BRUTE_FORCE_PROTECTION_CHECKS"
SecRule REQUEST_FILENAME "!@within %{tx.brute_force_protected_urls}"
"phase:5,id:'981039',t:none,nolog,pass,skipAfter:END_BRUTE_FORCE_PROTECTION_CHECKS"
SecRule IP:BRUTE_FORCE_BLOCK "@eq 1"
"phase:5,id:'981040',t:none,nolog,pass,skipAfter:END_BRUTE_FORCE_PROTECTION_CHECKS"


Debug log:

[14/Mar/2012:14:00:36 --0700]
[www.example.com/sid#2ae9867c9898][rid#2ae98f136830][/][4] Recipe:
Invoking rule 2ae986593ae8; [file
"/etc/httpd/modsecurity.d/activated_rules/modsecurity_crs_11_brute_force.conf"]
[line "38"] [id "981038"].
[14/Mar/2012:14:00:36 --0700]
[www.example.com/sid#2ae9867c9898][rid#2ae98f136830][/][4]
Transformation completed in 0 usec.
[14/Mar/2012:14:00:36 --0700]
[www.example.com/sid#2ae9867c9898][rid#2ae98f136830][/][4] Executing
operator "eq" with param "0" against &TX:BRUTE_FORCE_PROTECTED_URLS.
[14/Mar/2012:14:00:36 --0700]
[www.example.com/sid#2ae9867c9898][rid#2ae98f136830][/][4] Operator
completed in 1 usec.
[14/Mar/2012:14:00:36 --0700]
[www.example.com/sid#2ae9867c9898][rid#2ae98f136830][/][4] Rule
returned 0.
[14/Mar/2012:14:00:36 --0700]
[www.example.com/sid#2ae9867c9898][rid#2ae98f136830][/][4] Recipe:
Invoking rule 2ae986594568; [file
"/etc/httpd/modsecurity.d/activated_rules/modsecurity_crs_11_brute_force.conf"]
[line "39"] [id "981039"].
[14/Mar/2012:14:00:36 --0700]
[www.example.com/sid#2ae9867c9898][rid#2ae98f136830][/][4]
Transformation completed in 0 usec.
[14/Mar/2012:14:00:36 --0700]
[www.example.com/sid#2ae9867c9898][rid#2ae98f136830][/][4] Executing
operator "!within" with param "%{tx.brute_force_protected_urls}"
against REQUEST_FILENAME.
[14/Mar/2012:14:00:36 --0700]
[www.example.com/sid#2ae9867c9898][rid#2ae98f136830][/][4] Operator
completed in 10 usec.
[14/Mar/2012:14:00:36 --0700]
[www.example.com/sid#2ae9867c9898][rid#2ae98f136830][/][4] Rule
returned 0.
[14/Mar/2012:14:00:36 --0700]
[www.example.com.com/sid#2ae9867c9898][rid#2ae98f136830][/][4] Recipe:
Invoking rule 2ae9865de9e8; [file
"/etc/httpd/modsecurity.d/activated_rules/modsecurity_crs_11_brute_force.conf"]
[line "40"] [id "981040"].
_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
Owasp-modsecurity-core-rule-set@lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set

[Owasp-modsecurity-core-rule-set] brute force rule

Reply via email to