Hi Ryan,
I had read these posts already, but I don't think that this is the problem in my case. Here is what I get from the server: You can see that a status 408 is returned, not a 200. In addition, I also have the following line in my apache access log: 80.201.47.144 - - [17/Feb/2013:11:01:26 -0500] "GET / HTTP/1.1" 408 498 "-" "-" But nothing is written to the modsec debug log at all... So I think it's a different problem than the one referred to in the posts you provided. Any other thought or hint that could put me on the right track ? Thanks Olivier Demin Head of Front Department/IT Change Solution Architect Tel: +32 (0)2 403 8083 Mobile: +32 (0)473 83 10 29 Avenue Louise 149 Mail: olivier.de...@generali.be B-1050 Bruxelles Site: www.generali.be <http://www.generali.be/> P Please consider your environmental responsibility before printing this e-mail, thanks for the planet. From: Ryan Barnett [mailto:rbarn...@trustwave.com] Sent: samedi 16 février 2013 15:19 To: Demin Olivier Cc: owasp-modsecurity-core-rule-set@lists.owasp.org Subject: Re: [Owasp-modsecurity-core-rule-set] slow dos attacks detection problem See this blog post - http://blog.spiderlabs.com/2011/07/advanced-topic-of-the-week-mitigating-slow-http-dos-attacks.html Caution: there are several reports that mod reqtimeoutdoes not issue a 408 status code under various conditions <http://old.nabble.com/-users@httpd--mod reqtimeout-not-returning-408-td31405422.html> . This means that this implementation described below may not work reliably. http://apache-http-server.18135.n6.nabble.com/users-httpd-mod-reqtimeout-not-returning-408-td4770478.html -- Ryan Barnett Lead Security Researcher Trustwave - SpiderLabs On Feb 16, 2013, at 6:50 AM, "Demin Olivier" <olivier.de...@generali.be> wrote: Hello, I'm using the CRS 2.2.7 with mod security 2.7.2 and apache 2.2.14 on Linux Ubuntu. I seem to have troubles with the modsecurity crs 11 slow dos protection.conf from the experimental ruleset. In fact, the reqtimeout module is working fine and fires 408 errors after the specified number of seconds when I don't provide the HTTP header fast enough (I tested that by simply performing manual telnet sessions on the port 80 of my server). But these 408 errors seem not to be intercepted by mod security at all. Indeed, when I enable the maximum debug logs (level 9), nothing is appended in the debug log upon 408 firing: no trace of any rule being checked in that particular case. So it seems that the reqtimeout module returns in a way that prevents mod security from being activated. Did any of you encounter similar problems? Thanks for your help Olivier Demin ########################################### GENERALI BELGIUM NV-SA - Verzekeringen-Assurances Louizalaan 149 Avenue Louise - Brussel 1050 Bruxelles Ondernemingsnummer 0403.262.553 Numéro d'entreprise RPR Brussel - RPM Bruxelles ########################################### This e-mail and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this e-mail in error please notify the system manager. Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. ###########################################<br>GENERALI BELGIUM NV-SA - Verzekeringen-Assurances<br>Louizalaan 149 Avenue Louise - Brussel 1050 Bruxelles<br>Ondernemingsnummer 0403.262.553 Numéro d'entreprise<br>RPR Brussel - RPM Bruxelles<br>###########################################<br>This e-mail and any files transmitted with it are confidential and<br>intended solely for the use of the individual or entity to whom they <br>are addressed. If you have received this e-mail in error please notify <br>the system manager.
<<image002.png>>
_______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
