I'm looking at using modsecurity_crs_11_brute_force as a way of mitigating
a
short list of urls that are vulnerable to enumeration attacks.
My UX designers are not happy about the fact that the block, when it goes
into
effect, restricts all requests from the attacking IP address.
So I'm considering adding an entry to skip the brute force checks if
REQUEST_FILENAME does not match a protected URL.
The current implementation looks like
Include conf/modsecurity_crs/*.conf
SecRule REQUEST_FILENAME "!@within %{tx.brute_force_protected_urls}"
"phase:1,id:'88888',t:none,nolog,pass,skipAfter:END_BRUTE_FORCE_PROTECTION_C
HECK
S"
Include
conf/modsecurity_crs/experimental_rules/modsecurity_crs_11_brute_force.conf
Have I introduced a new weakness by doing this?
Thank you,
Danil
--------------------------------------------------------------------
mail2web LIVE – Free email based on Microsoft® Exchange technology -
http://link.mail2web.com/LIVE
_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
[email protected]
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
