Re: [Owasp-modsecurity-core-rule-set] crs against brute force not working

Thu, 21 Aug 2014 09:04:29 -0700 

In your modsecurity_crs_10_setup.conf file you need to make sure to uncomment, 
and define the paths for your login page.  You will notice the first line of 
the rule is commented out with a regular pound symbol.  Then restart apache.  
Here is how mine looks. I set it up for WordPress and Drupal.  It has been 
working well for WordPress brute force attempts:

 

#

# -- [[ Brute Force Protection ]] 
---------------------------------------------------------

#

# If you are using the Brute Force Protection rule set, then uncomment the 
following

# lines and set the following variables:

# - Protected URLs: resources to protect (e.g. login pages) - set to your login 
page

# - Burst Time Slice Interval: time interval window to monitor for bursts

# - Request Threshold: request # threshold to trigger a burst

# - Block Period: temporary block timeout

#

SecAction \

  "id:'900014', \

  phase:1, \

  t:none, \

  setvar:'tx.brute_force_protected_urls=#/wp-login.php# #/user#', \

  setvar:'tx.brute_force_burst_time_slice=60', \

  setvar:'tx.brute_force_counter_threshold=10', \

  setvar:'tx.brute_force_block_timeout=300', \

  nolog, \

  pass"

 

 



Wesley Render, IT Consultant, RHCSA

Phone: 1.403.228.1221 ext 201

 <http://www.otherdata.com/> www.otherdata.com

 

 <http://www.facebook.com/otherdata> 

 

 

From: owasp-modsecurity-core-rule-set-boun...@lists.owasp.org 
[mailto:owasp-modsecurity-core-rule-set-boun...@lists.owasp.org] On Behalf Of 
Sabin Ranjit
Sent: August-21-14 4:17 AM
To: owasp-modsecurity-core-rule-set@lists.owasp.org
Subject: [Owasp-modsecurity-core-rule-set] crs against brute force not working

 

hi,

im using latest modsecurity rule set and i tried out crs_11_bruteforce from 
experimental rule. But its not working for me. I created a shortlink of it in 
the activated rules directory, restarted the apache and when i brute force my 
web application login page the modsecurity audit log dont give me any brute 
force warnings. what could be the problem? Im using burp suite pro version's 
intruder for brute forcing.

can anyone point to helpful resource that i can follow?

thanks.

regards

sabin


_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
Owasp-modsecurity-core-rule-set@lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set

Reply via email to