Re: [Owasp-modsecurity-core-rule-set] DOS_Protection Problem: Could not set variable "ip.dos_counter" as the collection does not exist.

[Ryan Barnett]

From: "JPow (powster)" <pows...@gmail.com<mailto:pows...@gmail.com>>
Date: Fri, 13 Jul 2012 10:39:21 -0500
To: Ryan Barnett <rbarn...@trustwave.com<mailto:rbarn...@trustwave.com>>, 
"owasp-modsecurity-core-rule-set@lists.owasp.org<mailto:owasp-modsecurity-core-rule-set@lists.owasp.org>"
 
<owasp-modsecurity-core-rule-set@lists.owasp.org<mailto:owasp-modsecurity-core-rule-set@lists.owasp.org>>
Subject: Re: [Owasp-modsecurity-core-rule-set] DOS_Protection Problem: Could 
not set variable "ip.dos_counter" as the collection does not exist.

Hi Ryan,

Thanks for the tip. I tried adding this to the end of the 10_setup.conf:

SecRule REQUEST_LINE "^(GET /|OPTIONS \*) HTTP/1.0$" 
"phase:1,allow,nolog,chain,t:none"
        SecRule REMOTE_ADDR "^(127\.0\.0\.|\:\:)1$" "chain, t:none"
                SecRule REQUEST_HEADERS:User-Agent "^Apache.*\(internal dummy 
connection\)$"

I would add this before the [[ Global and IP Collections ]] rules.

Also – is your SecRuleEngine set to On?  It needs to be to use the allow action.

-Ryan



Restarted apache and still kept getting:
DEBUG: [13/Jul/2012:15:34:13 +0000] 
[ip-10-128-81-72.ap-southeast-1.compute.internal/sid#7f5fdc6a0370][rid#7f5fdf6310a0][*][3]
 Could not set variable "ip.dos_counter" as the collection does not exist.
AUDIT:
--fe256340-A--
[13/Jul/2012:15:34:14 +0000] UAA-9gqAUUgAAB9cIOwAAAAH 127.0.0.1 34888 127.0.0.1 
80
--fe256340-B--
OPTIONS * HTTP/1.0
User-Agent: Apache (internal dummy connection)

--fe256340-F--
HTTP/1.1 200 OK
Content-Length: 0
Connection: close

--fe256340-H--
Message: Could not set variable "ip.dos_counter" as the collection does not 
exist.
Stopwatch: 1342193654146888 832 (- - -)
Stopwatch2: 1342193654146888 832; combined=275, p1=0, p2=0, p3=0, p4=0, p5=274, 
sr=0, sw=1, l=0, gc=0
Producer: ModSecurity for Apache/2.6.3 (http://www.modsecurity.org/); 
OWASP_CRS/2.2.5; OWASP_CRS/2.2.5.
Server: Apache

--fe256340-Z--

Thinking that maybe the "chaining" of the rules was preventing a match, I tried 
the following rules, all UNCHAINED (again, appended at the end of 10_setup.conf)
SecRule REQUEST_LINE "^(GET /|OPTIONS \*) HTTP/1.0$" "phase:1,allow,nolog"
        SecRule REMOTE_ADDR "^(127\.0\.0\.|\:\:)1$" "phase:1,allow,nolog"
                SecRule REQUEST_HEADERS:User-Agent "^Apache.*\(internal dummy 
connection\)$" "phase:1,allow,nolog"

Result: Still kept getting the same errors.


Am I doing something wrongly? Is appending the rules to 10_setup.conf wrong?
Is there something wrong with the rules, which inadvertently allows the apache 
internal dummy connection through?

Thank you so much.

JPow
From: Ryan Barnett <rbarn...@trustwave.com<mailto:rbarn...@trustwave.com>>
Date: Friday, July 13, 2012 10:11 PM
To: Jingxun Pow <pows...@gmail.com<mailto:pows...@gmail.com>>, 
"owasp-modsecurity-core-rule-set@lists.owasp.org<mailto:owasp-modsecurity-core-rule-set@lists.owasp.org>"
 
<owasp-modsecurity-core-rule-set@lists.owasp.org<mailto:owasp-modsecurity-core-rule-set@lists.owasp.org>>
Subject: Re: [Owasp-modsecurity-core-rule-set] DOS_Protection Problem: Could 
not set variable "ip.dos_counter" as the collection does not exist.

The rules in the 47 common exceptions file will only adjust the anomaly scores. 
 You could take these rules and place them into local 15 files and add the 
"alllow" action to them.

--
Ryan Barnett
Trustwave SpiderLabs
ModSecurity Project Leader
OWASP ModSecurity CRS Project Leader

From: "JPow (powster)" <pows...@gmail.com<mailto:pows...@gmail.com>>
Date: Fri, 13 Jul 2012 09:01:11 -0500
To: 
"owasp-modsecurity-core-rule-set@lists.owasp.org<mailto:owasp-modsecurity-core-rule-set@lists.owasp.org>"
 
<owasp-modsecurity-core-rule-set@lists.owasp.org<mailto:owasp-modsecurity-core-rule-set@lists.owasp.org>>
Subject: [Owasp-modsecurity-core-rule-set] DOS_Protection Problem: Could not 
set variable "ip.dos_counter" as the collection does not exist.

Hi there,

I am facing a problem where I get "Could not set variable "ip.dos_counter" as 
the collection does not exist." debug output when using the dos_protection rule 
set ( "modsecurity_crs_11_dos_protection.conf").

 *   DOS_Protection works as it should, so no issues with that (I have 
uncommented the relevant lines in the crs_10_setup.conf, as well as properly 
linked up the crs_11_dos_protection.conf
 *   However, I find that the debug is littered with "Could not set variable 
"ip.dos_counter" as the collection does not exist."
 *   I've realized that this is NOT a problem with INITCOL:IP not being called 
in the setup conf file --> This works properly (I am using the default 
crs_10_setup.conf)
 *   The issue ONLY occurs with Apache (internal dummy connection) (see below 
debug / audit output)
    *   If you see below Audit Output, it is not a standard "GET" request.
    *   From my understanding, Apache's internal dummy connections are just 
done by Apache to wake up its child processes.
 *   I am puzzled why this happens, because I thought there already is an 
exception for Apache internal dummy connections in 47 common_exceptions.conf?

Any reason why these dummy connections are still causing the error messages in 
the debug? And if so, how to solve this issue?

Thanks!

My system:
-Ubuntu 12.04 on Amazon EC2
-Apache 2.6.3 Mod_Security
-OWASP_CRS/2.2.5.

Debug output:
[13/Jul/2012:13:29:46 +0000] 
[ip-XX-XXX-XX-XX.ap-southeast-1.compute.internal/sid#7f40d4a48370][rid#7f40d64c60a0][*][3]
 Could not set variable "ip.dos_counter" as the collection does not exist.

Audit Output:
--695eef13-A--
[13/Jul/2012:13:29:46 +0000] UAAiygqAUUgAABqMEm0AAAAE 127.0.0.1 34716 127.0.0.1 
80
--695eef13-B--
OPTIONS * HTTP/1.0
User-Agent: Apache (internal dummy connection)

--695eef13-F--
HTTP/1.1 200 OK
Content-Length: 0
Connection: close

--695eef13-H--
Message: Could not set variable "ip.dos_counter" as the collection does not 
exist.
Stopwatch: 1342186186315250 284 (- - -)
Stopwatch2: 1342186186315250 284; combined=119, p1=0, p2=0, p3=0, p4=0, p5=118, 
sr=0, sw=1, l=0, gc=0
Producer: ModSecurity for Apache/2.6.3 (http://www.modsecurity.org/); 
OWASP_CRS/2.2.5; OWASP_CRS/2.2.5.
Server: Apache

--695eef13-Z--

________________________________
This transmission may contain information that is privileged, confidential, 
and/or exempt from disclosure under applicable law. If you are not the intended 
recipient, you are hereby notified that any disclosure, copying, distribution, 
or use of the information contained herein (including any reliance thereon) is 
STRICTLY PROHIBITED. If you received this transmission in error, please 
immediately contact the sender and destroy the material in its entirety, 
whether in electronic or hard copy format.

________________________________
This transmission may contain information that is privileged, confidential, 
and/or exempt from disclosure under applicable law. If you are not the intended 
recipient, you are hereby notified that any disclosure, copying, distribution, 
or use of the information contained herein (including any reliance thereon) is 
STRICTLY PROHIBITED. If you received this transmission in error, please 
immediately contact the sender and destroy the material in its entirety, 
whether in electronic or hard copy format.

_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
Owasp-modsecurity-core-rule-set@lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set