I've a few questions about modsecurity_crs_11_dos_protection.conf
Question 1. The first set of rules are these:
#
# Enforce an existing IP address block and log only 1-time/minute
# We don't want to get flooded by alerts during an attack or scan so
# we are only triggering an alert once/minute. You can adjust how often
# you want to receive status alerts by changing the expirevar setting below.
#
SecRule IP:DOS_BLOCK "@eq 1" "chain,phase:1,id:'981044',drop,msg:'Denial of
Service (DoS) Attack Identified from %{tx.real_ip} (%{tx.dos_block_counter}
hits since last alert)',setvar:ip.dos_block_counter=+1"
SecRule &IP:DOS_BLOCK_FLAG "@eq 0"
"setvar:ip.dos_block_flag=1,expirevar:ip.dos_block_flag=60,setvar:tx.dos_block_counter=%{ip.dos_block_counter},setvar:ip.dos_block_counter=0"
#
# Block and track # of requests but don't log
SecRule IP:DOS_BLOCK "@eq 1"
"phase:1,id:'981045',t:none,drop,nolog,setvar:ip.dos_block_counter=+1"
Is rule 981045 needed? Rule 981044 already increments the counter even if the
chained rule does not match so I don't see the point in rule 981045. Or am I
misunderstanding this:
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#setvar
Question 2:
#
# DOS Counter
# Count the number of requests to non-static resoures
#
SecRule REQUEST_BASENAME "!\.(jpe?g|png|gif|js|css|ico)$"
"phase:5,id:'981047',t:none,nolog,pass,setvar:ip.dos_counter=+1"
Any reason we don't use t:lowercase instead of assuming the file extensions are
already in lowercase? Would also be nice to specify the exact pattern match in
modsecurity_crs_10_setup.conf with it defaulting to above though I guess you
can always use SecRuleUpdateTargetById to add your own extensions or other
pattern matching.
Question 3:
#
# Check DOS Counter
# If the request count is greater than or equal to user settings,
# we then set the burst counter
#
SecRule IP:DOS_COUNTER "@gt %{tx.dos_counter_threshold}"
"phase:5,id:'981048',t:none,nolog,pass,t:none,setvar:ip.dos_burst_counter=+1,expirevar:ip.dos_burst_counter=%{tx.dos_burst_time_slice},setvar:!ip.dos_counter"
I presume this is a typo to have t:none specified twice in this rule?
Question 4:
Not directly related to this but has anyone made any progress in keeping ip.pag
down to a reasonable size as doesn't seem to clean up like it should do?
Several posts about this about the place but not managed to find any definitive
answers...
_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
Owasp-modsecurity-core-rule-set@lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
