Hi Ryan,
Tried that and still getting the same error.
I tried another approach where I changed all the PHASE 5 DOS PROTECTION
rules to PHASE 4. So far, that seems to work! Any potential drawbacks of
shifting from Phase 5 to Phase 4?
Separately, I understand that BLOCK actions are typically deny + status:XXX,
or redirects.
I am using AJAX quite extensively in my site, and trying to figure out a way
for the AJAX request to error-out (assuming it is blocked by mod security)
gracefully via a prompt on the user's screen.
Currently, the ajax loading indicator will just load forever if the request
is blocked my mod security.
I tried setting the block action to "Redirect" to a "throwexception.php"
file which throws an exception, but the function calling the ajax request
doesn't receive the exception (I don't think exception information can get
passed through via a redirect).
Appreciate the guidance!
Thanks,
JPow
From: Ryan Barnett <rbarn...@trustwave.com>
Date: Saturday, July 14, 2012 1:19 AM
To: Jingxun Pow <pows...@gmail.com>,
"owasp-modsecurity-core-rule-set@lists.owasp.org"
<owasp-modsecurity-core-rule-set@lists.owasp.org>
Subject: Re: [Owasp-modsecurity-core-rule-set] DOS_Protection Problem:
Could not set variable "ip.dos_counter" as the collection does not exist.
Update the rules to use the ctl action to disable the SecRuleEngine -
SecRule REQUEST_LINE "^(GET /|OPTIONS \*) HTTP/1.0$"
"phase:1,allow,nolog,chain,t:none"
SecRule REMOTE_ADDR "^(127\.0\.0\.|\:\:)1$" "chain, t:none"
SecRule REQUEST_HEADERS:User-Agent "^Apache.*\(internal
dummy connection\)$" "ctl:ruleEngine=Off"
-Ryan
From: "JPow (powster)" <pows...@gmail.com>
Date: Fri, 13 Jul 2012 12:17:03 -0500
To: Ryan Barnett <rbarn...@trustwave.com>,
"owasp-modsecurity-core-rule-set@lists.owasp.org"
<owasp-modsecurity-core-rule-set@lists.owasp.org>
Subject: Re: [Owasp-modsecurity-core-rule-set] DOS_Protection Problem: Could
not set variable "ip.dos_counter" as the collection does not exist.
> Hi Ryan,
>
> Sorry to bother again. After leaving the server running for awhile, I realized
> I was facing the same problem even after incorporating suggestions below.
>
> I realized the problem after looking through debug level 9 logs:
>
> modsecurity_crs_11_dos_protection.conf has rules that are in PHASE:5. These
> Phase 5 rules are the ones that increase the ip.dos counters.
>
> Since these rules are in Phase 5, they will be run regardless of whether the
> ALLOW action is provided for apache internal relay transactions.
>
> Since the "allow" method doesn't work for Phase 5, is there anyway to provide
> exceptions for these cases?
>
> Thanks,
> JPow
>
> From: Ryan Barnett <rbarn...@trustwave.com>
> Date: Friday, July 13, 2012 11:44 PM
> To: Jingxun Pow <pows...@gmail.com>,
> "owasp-modsecurity-core-rule-set@lists.owasp.org"
> <owasp-modsecurity-core-rule-set@lists.owasp.org>
> Subject: Re: [Owasp-modsecurity-core-rule-set] DOS_Protection Problem: Could
> not set variable "ip.dos_counter" as the collection does not exist.
>
>
>
> From: "JPow (powster)" <pows...@gmail.com>
> Date: Fri, 13 Jul 2012 10:39:21 -0500
> To: Ryan Barnett <rbarn...@trustwave.com>,
> "owasp-modsecurity-core-rule-set@lists.owasp.org"
> <owasp-modsecurity-core-rule-set@lists.owasp.org>
> Subject: Re: [Owasp-modsecurity-core-rule-set] DOS_Protection Problem: Could
> not set variable "ip.dos_counter" as the collection does not exist.
>
>> Hi Ryan,
>>
>> Thanks for the tip. I tried adding this to the end of the 10_setup.conf:
>>
>> SecRule REQUEST_LINE "^(GET /|OPTIONS \*) HTTP/1.0$"
>> "phase:1,allow,nolog,chain,t:none"
>> SecRule REMOTE_ADDR "^(127\.0\.0\.|\:\:)1$" "chain, t:none"
>> SecRule REQUEST_HEADERS:User-Agent "^Apache.*\(internal dummy
>> connection\)$"
>
> I would add this before the [[ Global and IP Collections ]] rules.
>
> Also is your SecRuleEngine set to On? It needs to be to use the allow
> action.
>
> -Ryan
>
>
>>
>> Restarted apache and still kept getting:
>> DEBUG: [13/Jul/2012:15:34:13 +0000]
>> [ip-10-128-81-72.ap-southeast-1.compute.internal/sid#7f5fdc6a0370][rid#7f5fdf
>> 6310a0][*][3] Could not set variable "ip.dos_counter" as the collection does
>> not exist.
>> AUDIT:
>> --fe256340-A--
>> [13/Jul/2012:15:34:14 +0000] UAA-9gqAUUgAAB9cIOwAAAAH 127.0.0.1 34888
>> 127.0.0.1 80
>> --fe256340-B--
>> OPTIONS * HTTP/1.0
>> User-Agent: Apache (internal dummy connection)
>>
>> --fe256340-F--
>> HTTP/1.1 200 OK
>> Content-Length: 0
>> Connection: close
>>
>> --fe256340-H--
>> Message: Could not set variable "ip.dos_counter" as the collection does not
>> exist.
>> Stopwatch: 1342193654146888 832 (- - -)
>> Stopwatch2: 1342193654146888 832; combined=275, p1=0, p2=0, p3=0, p4=0,
>> p5=274, sr=0, sw=1, l=0, gc=0
>> Producer: ModSecurity for Apache/2.6.3 (http://www.modsecurity.org/);
>> OWASP_CRS/2.2.5; OWASP_CRS/2.2.5.
>> Server: Apache
>>
>> --fe256340-Z--
>>
>> Thinking that maybe the "chaining" of the rules was preventing a match, I
>> tried the following rules, all UNCHAINED (again, appended at the end of
>> 10_setup.conf)
>> SecRule REQUEST_LINE "^(GET /|OPTIONS \*) HTTP/1.0$" "phase:1,allow,nolog"
>> SecRule REMOTE_ADDR "^(127\.0\.0\.|\:\:)1$" "phase:1,allow,nolog"
>> SecRule REQUEST_HEADERS:User-Agent "^Apache.*\(internal dummy
>> connection\)$" "phase:1,allow,nolog"
>>
>> Result: Still kept getting the same errors.
>>
>>
>> Am I doing something wrongly? Is appending the rules to 10_setup.conf wrong?
>> Is there something wrong with the rules, which inadvertently allows the
>> apache internal dummy connection through?
>>
>> Thank you so much.
>>
>> JPow
>> From: Ryan Barnett <rbarn...@trustwave.com>
>> Date: Friday, July 13, 2012 10:11 PM
>> To: Jingxun Pow <pows...@gmail.com>,
>> "owasp-modsecurity-core-rule-set@lists.owasp.org"
>> <owasp-modsecurity-core-rule-set@lists.owasp.org>
>> Subject: Re: [Owasp-modsecurity-core-rule-set] DOS_Protection Problem: Could
>> not set variable "ip.dos_counter" as the collection does not exist.
>>
>> The rules in the 47 common exceptions file will only adjust the anomaly
>> scores. You could take these rules and place them into local 15 files and
>> add the "alllow" action to them.
>>
>> --
>> Ryan Barnett
>> Trustwave SpiderLabs
>> ModSecurity Project Leader
>> OWASP ModSecurity CRS Project Leader
>>
>> From: "JPow (powster)" <pows...@gmail.com>
>> Date: Fri, 13 Jul 2012 09:01:11 -0500
>> To: "owasp-modsecurity-core-rule-set@lists.owasp.org"
>> <owasp-modsecurity-core-rule-set@lists.owasp.org>
>> Subject: [Owasp-modsecurity-core-rule-set] DOS_Protection Problem: Could not
>> set variable "ip.dos_counter" as the collection does not exist.
>>
>>> Hi there,
>>>
>>> I am facing a problem where I get "Could not set variable "ip.dos_counter"
>>> as the collection does not exist." debug output when using the
>>> dos_protection rule set ( "modsecurity_crs_11_dos_protection.conf").
>>> * DOS_Protection works as it should, so no issues with that (I have
>>> uncommented the relevant lines in the crs_10_setup.conf, as well as properly
>>> linked up the crs_11_dos_protection.conf
>>> * However, I find that the debug is littered with "Could not set variable
>>> "ip.dos_counter" as the collection does not exist."
>>> * I've realized that this is NOT a problem with INITCOL:IP not being called
>>> in the setup conf file --> This works properly (I am using the default
>>> crs_10_setup.conf)
>>> * The issue ONLY occurs with Apache (internal dummy connection) (see below
>>> debug / audit output)
>>>> * If you see below Audit Output, it is not a standard "GET" request.
>>>> * From my understanding, Apache's internal dummy connections are just done
>>>> by Apache to wake up its child processes.
>>> * I am puzzled why this happens, because I thought there already is an
>>> exception for Apache internal dummy connections in 47
>>> common_exceptions.conf?
>>> Any reason why these dummy connections are still causing the error messages
>>> in the debug? And if so, how to solve this issue?
>>>
>>> Thanks!
>>>
>>> My system:
>>> -Ubuntu 12.04 on Amazon EC2
>>> -Apache 2.6.3 Mod_Security
>>> -OWASP_CRS/2.2.5.
>>>
>>> Debug output:
>>> [13/Jul/2012:13:29:46 +0000]
>>> [ip-XX-XXX-XX-XX.ap-southeast-1.compute.internal/sid#7f40d4a48370][rid#7f40d
>>> 64c60a0][*][3] Could not set variable "ip.dos_counter" as the collection
>>> does not exist.
>>>
>>> Audit Output:
>>> --695eef13-A--
>>> [13/Jul/2012:13:29:46 +0000] UAAiygqAUUgAABqMEm0AAAAE 127.0.0.1 34716
>>> 127.0.0.1 80
>>> --695eef13-B--
>>> OPTIONS * HTTP/1.0
>>> User-Agent: Apache (internal dummy connection)
>>>
>>> --695eef13-F--
>>> HTTP/1.1 200 OK
>>> Content-Length: 0
>>> Connection: close
>>>
>>> --695eef13-H--
>>> Message: Could not set variable "ip.dos_counter" as the collection does not
>>> exist.
>>> Stopwatch: 1342186186315250 284 (- - -)
>>> Stopwatch2: 1342186186315250 284; combined=119, p1=0, p2=0, p3=0, p4=0,
>>> p5=118, sr=0, sw=1, l=0, gc=0
>>> Producer: ModSecurity for Apache/2.6.3 (http://www.modsecurity.org/);
>>> OWASP_CRS/2.2.5; OWASP_CRS/2.2.5.
>>> Server: Apache
>>>
>>> --695eef13-Z--
>>
>>
>> This transmission may contain information that is privileged, confidential,
>> and/or exempt from disclosure under applicable law. If you are not the
>> intended recipient, you are hereby notified that any disclosure, copying,
>> distribution, or use of the information contained herein (including any
>> reliance thereon) is STRICTLY PROHIBITED. If you received this transmission
>> in error, please immediately contact the sender and destroy the material in
>> its entirety, whether in electronic or hard copy format.
>
>
> This transmission may contain information that is privileged, confidential,
> and/or exempt from disclosure under applicable law. If you are not the
> intended recipient, you are hereby notified that any disclosure, copying,
> distribution, or use of the information contained herein (including any
> reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in
> error, please immediately contact the sender and destroy the material in its
> entirety, whether in electronic or hard copy format.
This transmission may contain information that is privileged, confidential,
and/or exempt from disclosure under applicable law. If you are not the
intended recipient, you are hereby notified that any disclosure, copying,
distribution, or use of the information contained herein (including any
reliance thereon) is STRICTLY PROHIBITED. If you received this transmission
in error, please immediately contact the sender and destroy the material in
its entirety, whether in electronic or hard copy format.
_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
Owasp-modsecurity-core-rule-set@lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
