Thanks for the updates Oleg! This will certainly be a useful update to not only the DoS rules buy any rules that will be based on the client IP. I will actually go back to check other uses of REMOTE_ADDR and see if we can swap it for tx.real_ip instead.
I will add this to the CRS v2.2.0 that I am working on. For future reference - here is the OWASP CRS mail-list - https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set -- Ryan Barnett Senior Security Researcher Trustwave - SpiderLabs On 4/28/11 7:32 PM, "Oleg Gryb" <[email protected]> wrote: >I'm not sure if I can discuss CRS rules here. If not, please let me know >what >the right place is. I want to suggest an improvement to DoS protection in >CRS >2.1.2. The problem is that enterprise applications usually run behind >load >balancers, so relying on remote_addr doesn't make too much sense, because >you'll >always have an LB's IP in there. > > >My improved rules (attached) check for x-forwarded-for header and if >it's >present, this IP will be used to initialize IP collection. If it's not >then the >old logic will be used. > >It would be great if we can include this improvement to the next CRS >release. > >Thanks, >Oleg. _______________________________________________ Owasp-modsecurity-core-rule-set mailing list [email protected] https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
