Hello, I've been setting up mod_security and enabled the modsecurity_crs_11_dos_protection.conf rule. This is mod_security 2.6.8 and CRS version 2.2.5.
I have initialized the settings with: SecAction \ "id:'900015', \ phase:1, \ t:none, \ setvar:'tx.dos_burst_time_slice=60', \ setvar:'tx.dos_counter_threshold=300', \ setvar:'tx.dos_block_timeout=600', \ nolog, \ pass" This works and it is blocking some very aggressive bots the way it should. But there is a problem. I have occasionally been getting lines like this in the log: Warning. Operator GE matched 2 at IP:dos_burst_counter. [file "/etc/httpd/modsecurity.d/activated_rules/modsecurity_crs_11_dos_protection.conf"] [line "44"] [id "981049"] [msg "Potential Denial of Service (DoS) Attack from 65.55.24.236 - # of Request Bursts: 3"] This bot was actually bingbot. I am new to mod_security, but my understanding of my settings is that it shouldn't block until a bot has requested 300 pages in 60 seconds. When I check the logs I see that IP 65.55.24.236 has requested 313 pages in 1 hour. In the 60 seconds before the DoS block happening, this IP only requested 6 pages. This block obviously shouldn't be happening. I am grossly misunderstanding something, or what can I do to fix this? Thanks, Nick
_______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
