In order for ModSecurity to "see" the request and assign a unique ID to it, make sure it is running in apache post-read-request hook for phase:1 by using --enable-request-early configure flag.
Try that and see if it helps. -- Ryan Barnett Lead Security Researcher Trustwave - SpiderLabs On Feb 18, 2013, at 3:08 AM, "Demin Olivier" <olivier.de...@generali.be> wrote: > Hi Ryan, > > I had read these posts already, but I don’t think that this is the problem in > my case. Here is what I get from the server: > > <image002.png> > > You can see that a status 408 is returned, not a 200. In addition, I also > have the following line in my apache access log: > 80.201.47.144 - - [17/Feb/2013:11:01:26 -0500] "GET / HTTP/1.1" 408 498 "-" > "-" > > But nothing is written to the modsec debug log at all… > > So I think it’s a different problem than the one referred to in the posts you > provided. Any other thought or hint that could put me on the right track ? > > Thanks > Olivier Demin > Head of Front Department/IT Change > Solution Architect > Tel: +32 (0)2 403 8083 > Mobile: +32 (0)473 83 10 29 > Avenue Louise 149 Mail: olivier.de...@generali.be > B-1050 Bruxelles Site: www.generali.be > P Please consider your environmental responsibility before printing this > e-mail, thanks for the planet. > > From: Ryan Barnett [mailto:rbarn...@trustwave.com] > Sent: samedi 16 février 2013 15:19 > To: Demin Olivier > Cc: owasp-modsecurity-core-rule-set@lists.owasp.org > Subject: Re: [Owasp-modsecurity-core-rule-set] slow dos attacks detection > problem > > See this blog post - > http://blog.spiderlabs.com/2011/07/advanced-topic-of-the-week-mitigating-slow-http-dos-attacks.html > > Caution: there are several reports that mod reqtimeoutdoes not issue a 408 > status code under various conditions. This means that this implementation > described below may not work reliably. > > http://apache-http-server.18135.n6.nabble.com/users-httpd-mod-reqtimeout-not-returning-408-td4770478.html > > -- > Ryan Barnett > Lead Security Researcher > Trustwave - SpiderLabs > > On Feb 16, 2013, at 6:50 AM, "Demin Olivier" <olivier.de...@generali.be> > wrote: > > > Hello, > > I'm using the CRS 2.2.7 with mod security 2.7.2 and apache 2.2.14 on Linux > Ubuntu. I seem to have troubles with the modsecurity crs 11 slow dos > protection.conf from the experimental ruleset. In fact, the reqtimeout > module is working fine and fires 408 errors after the specified number of > seconds when I don't provide the HTTP header fast enough (I tested that by > simply performing manual telnet sessions on the port 80 of my server). But > these 408 errors seem not to be intercepted by mod security at all. Indeed, > when I enable the maximum debug logs (level 9), nothing is appended in the > debug log upon 408 firing: no trace of any rule being checked in that > particular case. > > So it seems that the reqtimeout module returns in a way that prevents mod > security from being activated. > > Did any of you encounter similar problems? > > Thanks for your help > > Olivier Demin > > > ########################################### > GENERALI BELGIUM NV-SA - Verzekeringen-Assurances > Louizalaan 149 Avenue Louise - Brussel 1050 Bruxelles > Ondernemingsnummer 0403.262.553 Numéro d'entreprise > RPR Brussel - RPM Bruxelles > ########################################### > This e-mail and any files transmitted with it are confidential and > intended solely for the use of the individual or entity to whom they > are addressed. If you have received this e-mail in error please notify > the system manager. > > Owasp-modsecurity-core-rule-set mailing list > Owasp-modsecurity-core-rule-set@lists.owasp.org > https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set > > > This transmission may contain information that is privileged, confidential, > and/or exempt from disclosure under applicable law. If you are not the > intended recipient, you are hereby notified that any disclosure, copying, > distribution, or use of the information contained herein (including any > reliance thereon) is STRICTLY PROHIBITED. If you received this transmission > in error, please immediately contact the sender and destroy the material in > its entirety, whether in electronic or hard copy format. > > ########################################### > GENERALI BELGIUM NV-SA - Verzekeringen-Assurances > Louizalaan 149 Avenue Louise - Brussel 1050 Bruxelles > Ondernemingsnummer 0403.262.553 Numéro d'entreprise > RPR Brussel - RPM Bruxelles > ########################################### > This e-mail and any files transmitted with it are confidential and > intended solely for the use of the individual or entity to whom they > are addressed. If you have received this e-mail in error please notify > the system manager. > _______________________________________________ > Owasp-modsecurity-core-rule-set mailing list > Owasp-modsecurity-core-rule-set@lists.owasp.org > https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
_______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
