sorry, I checked out everything you have mentioned, it didnt work out for me. :(
thanks for your replies, regards, On Fri, Aug 22, 2014 at 9:40 PM, Wesley Render <wren...@otherdata.com> wrote: > No. I have not actually tested it with other web software. Maybe try the > following? > > > > · Make sure the modsecurity_crs_11_brute_force.conf is loading > properly . Maybe you have made a mistake with symbolic link or putting the > file in wrong folder. > > · Make sure you have uncommented the brute force rule in > modsecurity_crs_10_setup.conf (By default it is commented out) > > · Maybe try changing your URL to include your actual web login > file? I know they show it without pound symbols on each end. Like this: > setvar:'tx.brute_force_protected_urls=/wp-login.php', \ > > > > > > [image: Otherdata_Logo_2011] > > *Wesley Render, IT Consultant, RHCSA* > > Phone: 1.403.228.1221 ext 201 > > www.otherdata.com > > > > [image: findonfacebook] <http://www.facebook.com/otherdata> > > > > *From:* Sabin Ranjit [mailto:think.sa...@gmail.com] > *Sent:* August-21-14 11:21 PM > > *To:* Wesley Render > *Cc:* owasp-modsecurity-core-rule-set@lists.owasp.org > *Subject:* Re: [Owasp-modsecurity-core-rule-set] crs against brute force > not working > > > > naah!! I tried it, its not working for me. I used the value like that but > when i do brute force attempt in the web application with random username > and password it gives me nothing in the mod audit log. I'm using burp suit > pro intruder for testing. > > Have you tried it besides wordpress? Wonder what I'm doing wrong. > > thanks anyway. > > cheers > > > > On Thu, Aug 21, 2014 at 11:43 PM, Wesley Render <wren...@otherdata.com> > wrote: > > I believe you would just set yours like this (Just include the URL after > the domain name)…. > > > > # > > # -- [[ Brute Force Protection ]] > --------------------------------------------------------- > > # > > # If you are using the Brute Force Protection rule set, then uncomment the > following > > # lines and set the following variables: > > # - Protected URLs: resources to protect (e.g. login pages) - set to your > login page > > # - Burst Time Slice Interval: time interval window to monitor for bursts > > # - Request Threshold: request # threshold to trigger a burst > > # - Block Period: temporary block timeout > > # > > SecAction \ > > "id:'900014', \ > > phase:1, \ > > t:none, \ > > setvar:'tx.brute_force_protected_urls=#/user/user/login/#', \ > > setvar:'tx.brute_force_burst_time_slice=60', \ > > setvar:'tx.brute_force_counter_threshold=10', \ > > setvar:'tx.brute_force_block_timeout=300', \ > > nolog, \ > > pass" > > > > > > > > [image: Otherdata_Logo_2011] > > *Wesley Render, IT Consultant, RHCSA* > > Phone: 1.403.228.1221 ext 201 > > www.otherdata.com > > > > [image: findonfacebook] <http://www.facebook.com/otherdata> > > > > *From:* Sabin Ranjit [mailto:think.sa...@gmail.com] > *Sent:* August-21-14 10:39 AM > *To:* Wesley Render > *Cc:* owasp-modsecurity-core-rule-set@lists.owasp.org > *Subject:* Re: [Owasp-modsecurity-core-rule-set] crs against brute force > not working > > > > hi Wesley, > > I'm not using wordpress, I'm try to protect my application made in Yii > framework and its login url looks like this: > https://domainname.net/user/user/login/ > > how can I set brute_force_protected_urls value for this of url ? I tried > few ways but it gave me syntax error. > > thanks, > > regards > > > > On Thu, Aug 21, 2014 at 9:36 PM, Wesley Render <wren...@otherdata.com> > wrote: > > In your modsecurity_crs_10_setup.conf file you need to make sure to > uncomment, and define the paths for your login page. You will notice the > first line of the rule is commented out with a regular pound symbol. Then > restart apache. Here is how mine looks. I set it up for WordPress and > Drupal. It has been working well for WordPress brute force attempts: > > > > # > > # -- [[ Brute Force Protection ]] > --------------------------------------------------------- > > # > > # If you are using the Brute Force Protection rule set, then uncomment the > following > > # lines and set the following variables: > > # - Protected URLs: resources to protect (e.g. login pages) - set to your > login page > > # - Burst Time Slice Interval: time interval window to monitor for bursts > > # - Request Threshold: request # threshold to trigger a burst > > # - Block Period: temporary block timeout > > # > > SecAction \ > > "id:'900014', \ > > phase:1, \ > > t:none, \ > > setvar:'tx.brute_force_protected_urls=#/wp-login.php# #/user#', \ > > setvar:'tx.brute_force_burst_time_slice=60', \ > > setvar:'tx.brute_force_counter_threshold=10', \ > > setvar:'tx.brute_force_block_timeout=300', \ > > nolog, \ > > pass" > > > > > > [image: Otherdata_Logo_2011] > > *Wesley Render, IT Consultant, RHCSA* > > Phone: 1.403.228.1221 ext 201 > > www.otherdata.com > > > > [image: findonfacebook] <http://www.facebook.com/otherdata> > > > > > > *From:* owasp-modsecurity-core-rule-set-boun...@lists.owasp.org [mailto: > owasp-modsecurity-core-rule-set-boun...@lists.owasp.org] *On Behalf Of *Sabin > Ranjit > *Sent:* August-21-14 4:17 AM > *To:* owasp-modsecurity-core-rule-set@lists.owasp.org > *Subject:* [Owasp-modsecurity-core-rule-set] crs against brute force not > working > > > > hi, > > im using latest modsecurity rule set and i tried out crs_11_bruteforce > from experimental rule. But its not working for me. I created a shortlink > of it in the activated rules directory, restarted the apache and when i > brute force my web application login page the modsecurity audit log dont > give me any brute force warnings. what could be the problem? Im using burp > suite pro version's intruder for brute forcing. > > can anyone point to helpful resource that i can follow? > > thanks. > > regards > > sabin > > > > >
_______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
