Hi, The short answer is that there are are no directories defined - just full paths.
The long answer is that there are also no actual filenames- the requests are handled by a content engine doing friendly urls. The defined urls are the friendly ones- so apache gets a request for www.site.com/protected_url and uses mod_rewrite to send it to engine.php - Does that make a difference for REQUEST_FILENAME? Thanks, Yonah On Sun, Mar 20, 2011 at 3:56 PM, Ryan Barnett <[email protected]>wrote: > Are your protected URLs that you define in the 10 file setvars full paths > to the login page(s)? The check in the brute force file checks these > variables against the REQUEST_FILENAME of the current transaction. You > sanitized your example configs (/protected_url) so I am not sure if you > defined a filename or a directory. > > An audit log entry would help. > > On Mar 20, 2011, at 5:51 AM, Yonah Russ <[email protected]<mailto: > [email protected]>> wrote: > > Hi, > > I'm using 2.5.13 with CRS 2.1.1 > I've configured the following: > > SecAction "phase:1,t:none,nolog,pass, \ > setvar:'tx.brute_force_protected_urls=/protected_url /protected_url2', \ > setvar:'tx.brute_force_burst_time_slice=60', \ > setvar:'tx.brute_force_counter_threshold=5', \ > setvar:'tx.brute_force_block_timeout=300'" > > When I test, all the requests get through and not even a message in the > logs :( > Here is an excerpt from the debug log: > ... > [20/Mar/2011:09:15:56 +0000] [< > http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9> > www.site.com/sid#12b7778][rid#19211a0][/protected_url][9< > http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>] Setting > variable: tx.brute_force_protected_urls=/protected_url /protected_url2 > [20/Mar/2011:09:15:56 +0000] [< > http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9> > www.site.com/sid#12b7778][rid#19211a0][/protected_url][9< > http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>] Set > variable "tx.brute_force_protected_urls" to "/protected_url > /protected_url2". > [20/Mar/2011:09:15:56 +0000] [< > http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9> > www.site.com/sid#12b7778][rid#19211a0][/protected_url][9< > http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>] Setting > variable: tx.brute_force_burst_time_slice=60 > [20/Mar/2011:09:15:56 +0000] [< > http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9> > www.site.com/sid#12b7778][rid#19211a0][/protected_url][9< > http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>] Set > variable "tx.brute_force_burst_time_slice" to "60". > [20/Mar/2011:09:15:56 +0000] [< > http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9> > www.site.com/sid#12b7778][rid#19211a0][/protected_url][9< > http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>] Setting > variable: tx.brute_force_counter_threshold=5 > [20/Mar/2011:09:15:56 +0000] [< > http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9> > www.site.com/sid#12b7778][rid#19211a0][/protected_url][9< > http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>] Set > variable "tx.brute_force_counter_threshold" to "5". > [20/Mar/2011:09:15:56 +0000] [< > http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9> > www.site.com/sid#12b7778][rid#19211a0][/protected_url][9< > http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>] Setting > variable: tx.brute_force_block_timeout=300 > [20/Mar/2011:09:15:56 +0000] [< > http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9> > www.site.com/sid#12b7778][rid#19211a0][/protected_url][9< > http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>] Set > variable "tx.brute_force_block_timeout" to "300". > ... > [20/Mar/2011:09:15:56 +0000] [< > http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][4> > www.site.com/sid#12b7778][rid#19211a0][/protected_url][4< > http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][4>] Creating > collection (name "global", key "global"). > [20/Mar/2011:09:15:56 +0000] [< > http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9> > www.site.com/sid#12b7778][rid#19211a0][/protected_url][9< > http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>] Recorded > original collection variable: global.UPDATE_COUNTER = "0" > [20/Mar/2011:09:15:56 +0000] [< > http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][4> > www.site.com/sid#12b7778][rid#19211a0][/protected_url][4< > http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][4>] Added > collection "global" to the list. > [20/Mar/2011:09:15:56 +0000] [< > http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9> > www.site.com/sid#12b7778][rid#19211a0][/protected_url][9< > http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>] Resolved > macro %{remote_addr} to: 192.168.1.1 > [20/Mar/2011:09:15:56 +0000] [< > http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9> > www.site.com/sid#12b7778][rid#19211a0][/protected_url][9< > http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>] Resolved > macro %{tx.ua_hash} to: 3dcbbff145dcf13aa6287b931eb296b39b7541ee > [20/Mar/2011:09:15:56 +0000] [< > http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9> > www.site.com/sid#12b7778][rid#19211a0][/protected_url][9< > http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>] Read > variable: name "__expire_KEY", value "1300615158". > [20/Mar/2011:09:15:56 +0000] [< > http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9> > www.site.com/sid#12b7778][rid#19211a0][/protected_url][9< > http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>] Read > variable: name "KEY", value > "192.168.1.1_3dcbbff145dcf13aa6287b931eb296b39b7541ee". > [20/Mar/2011:09:15:56 +0000] [< > http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9> > www.site.com/sid#12b7778][rid#19211a0][/protected_url][9< > http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>] Read > variable: name "TIMEOUT", value "3600". > [20/Mar/2011:09:15:56 +0000] [< > http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9> > www.site.com/sid#12b7778][rid#19211a0][/protected_url][9< > http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>] Read > variable: name "__key", value > "192.168.1.1_3dcbbff145dcf13aa6287b931eb296b39b7541ee". > [20/Mar/2011:09:15:56 +0000] [< > http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9> > www.site.com/sid#12b7778][rid#19211a0][/protected_url][9< > http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>] Read > variable: name "__name", value "ip". > [20/Mar/2011:09:15:56 +0000] [< > http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9> > www.site.com/sid#12b7778][rid#19211a0][/protected_url][9< > http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>] Read > variable: name "CREATE_TIME", value "1300607334". > [20/Mar/2011:09:15:56 +0000] [< > http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9> > www.site.com/sid#12b7778][rid#19211a0][/protected_url][9< > http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>] Read > variable: name "UPDATE_COUNTER", value "75". > [20/Mar/2011:09:15:56 +0000] [< > http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9> > www.site.com/sid#12b7778][rid#19211a0][/protected_url][9< > http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>] Read > variable: name "dos_counter", value "75". > [20/Mar/2011:09:15:56 +0000] [< > http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9> > www.site.com/sid#12b7778][rid#19211a0][/protected_url][9< > http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>] Read > variable: name "LAST_UPDATE_TIME", value "1300611558". > [20/Mar/2011:09:15:56 +0000] [< > http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][4> > www.site.com/sid#12b7778][rid#19211a0][/protected_url][4< > http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][4>] > Retrieved collection (name "ip", key > "192.168.1.1_3dcbbff145dcf13aa6287b931eb296b39b7541ee"). > [20/Mar/2011:09:15:56 +0000] [< > http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9> > www.site.com/sid#12b7778][rid#19211a0][/protected_url][9< > http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>] Recorded > original collection variable: ip.UPDATE_COUNTER = "75" > [20/Mar/2011:09:15:56 +0000] [< > http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][4> > www.site.com/sid#12b7778][rid#19211a0][/protected_url][4< > http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][4>] Added > collection "ip" to the list. > ... > [20/Mar/2011:09:15:56 +0000] [< > http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][5> > www.site.com/sid#12b7778][rid#19211a0][/protected_url][5< > http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][5>] Rule > 240d78: SecRule "IP:BRUTE_FORCE_BLOCK" "@eq 1" > "phase:1,log,noauditlog,chain,block,msg:'Brute Force Attack Identified from > %{remote_addr} (%{tx.brute_force_block_counter} hits since last > alert)',setvar:ip.brute_force_block_counter=+1" > [20/Mar/2011:09:15:56 +0000] [< > http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][4> > www.site.com/sid#12b7778][rid#19211a0][/protected_url][4< > http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][4>] Rule > returned 0. > [20/Mar/2011:09:15:56 +0000] [< > http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9> > www.site.com/sid#12b7778][rid#19211a0][/protected_url][9< > http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>] No > match, chained -> mode NEXT_CHAIN. > [20/Mar/2011:09:15:56 +0000] [< > http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][4> > www.site.com/sid#12b7778][rid#19211a0][/protected_url][4< > http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][4>] Recipe: > Invoking rule 244cd8; [file > "/opt/www/conf/modsecurity_crs/base_rules/modsecurity_crs_11_brute_force.conf"] > [line "27"]. > [20/Mar/2011:09:15:56 +0000] [< > http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][5> > www.site.com/sid#12b7778][rid#19211a0][/protected_url][5< > http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][5>] Rule > 244cd8: SecRule "IP:BRUTE_FORCE_BLOCK" "@eq 1" > "phase:1,noauditlog,block,nolog,setvar:ip.brute_force_block_counter=+1" > [20/Mar/2011:09:15:56 +0000] [< > http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][4> > www.site.com/sid#12b7778][rid#19211a0][/protected_url][4< > http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][4>] Rule > returned 0. > [20/Mar/2011:09:15:56 +0000] [< > http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9> > www.site.com/sid#12b7778][rid#19211a0][/protected_url][9< > http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][9>] No > match, not chained -> mode NEXT_RULE. > [20/Mar/2011:09:15:56 +0000] [< > http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][4> > www.site.com/sid#12b7778][rid#19211a0][/protected_url][4< > http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][4>] Recipe: > Invoking rule 250338; [file > "/opt/www/conf/modsecurity_crs/base_rules/modsecurity_crs_11_dos_protection.conf"] > [line "11"]. > [20/Mar/2011:09:15:56 +0000] [< > http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][5> > www.site.com/sid#12b7778][rid#19211a0][/protected_url][5< > http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][5>] Rule > 250338: SecRule "IP:DOS_BLOCK" "@eq 1" > "phase:1,log,noauditlog,chain,drop,msg:'Denial of Service (DoS) Attack > Identified from %{remote_addr} (%{tx.dos_block_counter} hits since last > alert)',setvar:ip.dos_block_counter=+1" > [20/Mar/2011:09:15:56 +0000] [< > http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][4> > www.site.com/sid#12b7778][rid#19211a0][/protected_url][4< > http://www.site.com/sid#12b7778][rid#19211a0][/protected_url][4>] Rule > returned 0. > > From what I can see, the request never hits the section of rules which > should start counting the requests to the protected url. Instead, it skips > to the next ruleset? > Thanks in advance, > Yonah > > _______________________________________________ > Owasp-modsecurity-core-rule-set mailing list > [email protected]<mailto: > [email protected]> > https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set > > ________________________________ > This transmission may contain information that is privileged, confidential, > and/or exempt from disclosure under applicable law. If you are not the > intended recipient, you are hereby notified that any disclosure, copying, > distribution, or use of the information contained herein (including any > reliance thereon) is STRICTLY PROHIBITED. If you received this transmission > in error, please immediately contact the sender and destroy the material in > its entirety, whether in electronic or hard copy format. >
_______________________________________________ Owasp-modsecurity-core-rule-set mailing list [email protected] https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
