Thanks. Yeah, we discussed the use of mod_reqtimeout in our blog post - http://blog.spiderlabs.com/2011/07/advanced-topic-of-the-week-mitigating-slow-http-dos-attacks.html
Ryan Barnett Lead Security Researcher, SpiderLabs Trustwave | SMART SECURITY ON DEMAND www.trustwave.com<http://www.trustwave.com/> From: Rogerio Brito <rogerio.br...@intercode.com.br<mailto:rogerio.br...@intercode.com.br>> Date: Thursday, May 8, 2014 4:48 PM To: Ryan Barnett <rbarn...@trustwave.com<mailto:rbarn...@trustwave.com>> Cc: "owasp-modsecurity-core-rule-set@lists.owasp.org<mailto:owasp-modsecurity-core-rule-set@lists.owasp.org>" <owasp-modsecurity-core-rule-set@lists.owasp.org<mailto:owasp-modsecurity-core-rule-set@lists.owasp.org>> Subject: RES: [Owasp-modsecurity-core-rule-set] Need help with Joomla websites rules and SlowHttp Attacks Hi Ryan, Ok, I’ll open tickets on github. To fix the Slow DoS Attacks I’ve changed the rule as indicated on Acunetix website, as follows: <IfModule reqtimeout_module> RequestReadTimeout header=20-40,MinRate=500 body=30,MinRate=500 </IfModule> After that they reported it as secure. Thank you []s [assinatura_rogerio] De: Ryan Barnett [mailto:rbarn...@trustwave.com] Enviada em: terça-feira, 6 de maio de 2014 18:28 Para: Rogerio Brito Cc: owasp-modsecurity-core-rule-set@lists.owasp.org<mailto:owasp-modsecurity-core-rule-set@lists.owasp.org> Assunto: Re: [Owasp-modsecurity-core-rule-set] Need help with Joomla websites rules and SlowHttp Attacks Rogerio, A couple of comments - 1) Please open GitHub Issue tickets for your false positives so that we can fix them. 2) How is Acunetix actually testing the vuln? Keep in mind that the ModSecurity defenses for slow DoS attacks (headers vs post body) is really based on a scenario where a client has too many connections open vs actually doing any per-thread timing. If the scanner is only opening a single/small # it connections to test then the SecConnReadStateLimit/SecConnWriteStateLimit directives won't trigger. Ryan Barnett Lead Security Researcher, SpiderLabs Trustwave | SMART SECURITY ON DEMAND www.trustwave.com<http://www.trustwave.com/> On May 6, 2014, at 5:12 PM, "Rogerio Brito" <rogerio.br...@intercode.com.br<mailto:rogerio.br...@intercode.com.br>> wrote: Hello all, I have lots of Joomla websites and I’ve just installed mod_security with Owasp-modsecurity-core-rule-set. I had to disable the modsecurity_crs_41_xss_attacks.conf and modsecurity_crs_41_sql_injection_attacks.conf rules because I could not edit any article. Whenever I tried to save the article I would get a 403 forbidden. I watched the audit log file and I’ve tried to comment out rule by rule that fails, but as we are editing HTML content there are so many rules to comment that I believe there must some way else to do it. On another case, I’ve enabled the modsecurity_crs_11_slow_dos_protection.conf rules, but I’ve tested the site with http://www.acunetix.com/ and it still reports the site as vulnerable to “Slow HTTP Denial of Service Attack”. Can someone please help? Thank you Rogerio Brito _______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org<mailto:Owasp-modsecurity-core-rule-set@lists.owasp.org> https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set ________________________________ This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. ________________________________ This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.
_______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
