I'm using modsecurity_crs_11_brute_force to mitigate the risks of an
enumeration attack on some URLs.
Testing today revealed that the rules are getting tripped more often
than they should.
After examining the logs, it appears that my problem is in rule 981039
REQUEST_FILENAME "!@within %{tx.brute_force_protected_urls}"
tx.brute_force_protected_urls is supposed to be set to '/A /B',
where /A and /B are the urls I need to protect. From what I see in
the logs, the root URL / is also "within" tx.brute_force_protected_urls,
and that causes the rule to fire more often than it should.
So it appears that need an analog to 981039 which invokes
skipAfter:END_BRUTE_FORCE_PROTECTION_CHECKS
if the REQUEST_FILENAME matches my false positives?
Is trying to patch this the right answer, or does this problem indicate
that I've made an error configuring my rules elsewhere?
Thanks,
Danil
--------------------------------------------------------------------
myhosting.com - Premium Microsoft® Windows® and Linux web and application
hosting - http://link.myhosting.com/myhosting
_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
[email protected]
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
