On 1/12/11 5:42 AM, "Superpizza" <[email protected]> wrote:
>Hi everyone. >I was wondering about setting up a brute force protection against a single >client (browser). >It happens I manage a busy site, and a I've got a bunch of customers >coming to me through large proxies. >This means I can't simply ban an IP >(as dictated by current brute force rule in 2.1.1), Are you referring to the experimental Brute Force Detection rules - http://mod-security.svn.sourceforge.net/viewvc/mod-security/crs/trunk/exper imental_rules/modsecurity_crs_11_brute_force.conf If so, keep in mind that the IP collection it is using is taken from the modsecurity_crs_10_config.conf file and the key we use is a combination of the IP address and a hash of the User-Agent value - # # -=[ Global and IP Collections ]=- # # Create both Global and IP collections for rules to use # There are some CRS rules that assume that these two collections # have already been initiated. # SecRule REQUEST_HEADERS:User-Agent "^(.*)$" "phase:1,t:none,pass,nolog,t:sha1,t:hexEncode,setvar:tx.ua_hash=%{matched_v ar}" SecAction "phase:1,t:none,pass,nolog,initcol:global=global,initcol:ip=%{remote_addr}_ %{tx.ua_hash}" This should help to make the collections a bit more unique even if users are sharing open proxies. > but I'd like to stop a single client >(likely a script mimicking a real browser). > >I thought about setting up a global collection > populated by hashing a cookie (different value for each customer). >Something like: > >SecRule REQUEST_COOKIES_NAMES:JSESSIONID "^(.*)$" If you want to capture the "value* of the JSESSIONID, you should use - REQUEST_COOKIES:JSESSIONID as the variable. -Ryan >"phase:1,t:none,pass,nolog,t:sha1,t:hexEncode,setvar: ` >tx.cookie_hash=%{matched_var}" > >SecAction >"phase:1,t:none,pass,nolog,initcol:global=global,initcol: \ >ip=%{tx.cookie_hash}" > >I could then try to modify the rules present in >modsecurity_crs_11_brute_force.conf to evaluate that variable. >Any suggestion? > >Regards, Luca >_______________________________________________ >Owasp-modsecurity-core-rule-set mailing list >[email protected] >https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set _______________________________________________ Owasp-modsecurity-core-rule-set mailing list [email protected] https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
