[Owasp-modsecurity-core-rule-set] crs against brute force not working
hi, im using latest modsecurity rule set and i tried out crs_11_bruteforce from experimental rule. But its not working for me. I created a shortlink of it in the activated rules directory, restarted the apache and when i brute force my web application login page the modsecurity audit log dont give me any brute force warnings. what could be the problem? Im using burp suite pro version's intruder for brute forcing. can anyone point to helpful resource that i can follow? thanks. regards sabin ___ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
Re: [Owasp-modsecurity-core-rule-set] crs against brute force not working
In your modsecurity_crs_10_setup.conf file you need to make sure to uncomment, and define the paths for your login page. You will notice the first line of the rule is commented out with a regular pound symbol. Then restart apache. Here is how mine looks. I set it up for WordPress and Drupal. It has been working well for WordPress brute force attempts: # # -- [[ Brute Force Protection ]] - # # If you are using the Brute Force Protection rule set, then uncomment the following # lines and set the following variables: # - Protected URLs: resources to protect (e.g. login pages) - set to your login page # - Burst Time Slice Interval: time interval window to monitor for bursts # - Request Threshold: request # threshold to trigger a burst # - Block Period: temporary block timeout # SecAction \ "id:'900014', \ phase:1, \ t:none, \ setvar:'tx.brute_force_protected_urls=#/wp-login.php# #/user#', \ setvar:'tx.brute_force_burst_time_slice=60', \ setvar:'tx.brute_force_counter_threshold=10', \ setvar:'tx.brute_force_block_timeout=300', \ nolog, \ pass" Wesley Render, IT Consultant, RHCSA Phone: 1.403.228.1221 ext 201 <http://www.otherdata.com/> www.otherdata.com <http://www.facebook.com/otherdata> From: owasp-modsecurity-core-rule-set-boun...@lists.owasp.org [mailto:owasp-modsecurity-core-rule-set-boun...@lists.owasp.org] On Behalf Of Sabin Ranjit Sent: August-21-14 4:17 AM To: owasp-modsecurity-core-rule-set@lists.owasp.org Subject: [Owasp-modsecurity-core-rule-set] crs against brute force not working hi, im using latest modsecurity rule set and i tried out crs_11_bruteforce from experimental rule. But its not working for me. I created a shortlink of it in the activated rules directory, restarted the apache and when i brute force my web application login page the modsecurity audit log dont give me any brute force warnings. what could be the problem? Im using burp suite pro version's intruder for brute forcing. can anyone point to helpful resource that i can follow? thanks. regards sabin ___ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
Re: [Owasp-modsecurity-core-rule-set] crs against brute force not working
hi Wesley, I'm not using wordpress, I'm try to protect my application made in Yii framework and its login url looks like this: https://domainname.net/user/user/login/ how can I set brute_force_protected_urls value for this of url ? I tried few ways but it gave me syntax error. thanks, regards On Thu, Aug 21, 2014 at 9:36 PM, Wesley Render wrote: > In your modsecurity_crs_10_setup.conf file you need to make sure to > uncomment, and define the paths for your login page. You will notice the > first line of the rule is commented out with a regular pound symbol. Then > restart apache. Here is how mine looks. I set it up for WordPress and > Drupal. It has been working well for WordPress brute force attempts: > > > > # > > # -- [[ Brute Force Protection ]] > - > > # > > # If you are using the Brute Force Protection rule set, then uncomment the > following > > # lines and set the following variables: > > # - Protected URLs: resources to protect (e.g. login pages) - set to your > login page > > # - Burst Time Slice Interval: time interval window to monitor for bursts > > # - Request Threshold: request # threshold to trigger a burst > > # - Block Period: temporary block timeout > > # > > SecAction \ > > "id:'900014', \ > > phase:1, \ > > t:none, \ > > setvar:'tx.brute_force_protected_urls=#/wp-login.php# #/user#', \ > > setvar:'tx.brute_force_burst_time_slice=60', \ > > setvar:'tx.brute_force_counter_threshold=10', \ > > setvar:'tx.brute_force_block_timeout=300', \ > > nolog, \ > > pass" > > > > > > [image: Otherdata_Logo_2011] > > *Wesley Render, IT Consultant, RHCSA* > > Phone: 1.403.228.1221 ext 201 > > www.otherdata.com > > > > [image: findonfacebook] <http://www.facebook.com/otherdata> > > > > > > *From:* owasp-modsecurity-core-rule-set-boun...@lists.owasp.org [mailto: > owasp-modsecurity-core-rule-set-boun...@lists.owasp.org] *On Behalf Of *Sabin > Ranjit > *Sent:* August-21-14 4:17 AM > *To:* owasp-modsecurity-core-rule-set@lists.owasp.org > *Subject:* [Owasp-modsecurity-core-rule-set] crs against brute force not > working > > > > hi, > > im using latest modsecurity rule set and i tried out crs_11_bruteforce > from experimental rule. But its not working for me. I created a shortlink > of it in the activated rules directory, restarted the apache and when i > brute force my web application login page the modsecurity audit log dont > give me any brute force warnings. what could be the problem? Im using burp > suite pro version's intruder for brute forcing. > > can anyone point to helpful resource that i can follow? > > thanks. > > regards > > sabin > ___ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
Re: [Owasp-modsecurity-core-rule-set] crs against brute force not working
I believe you would just set yours like this (Just include the URL after the domain name)…. # # -- [[ Brute Force Protection ]] - # # If you are using the Brute Force Protection rule set, then uncomment the following # lines and set the following variables: # - Protected URLs: resources to protect (e.g. login pages) - set to your login page # - Burst Time Slice Interval: time interval window to monitor for bursts # - Request Threshold: request # threshold to trigger a burst # - Block Period: temporary block timeout # SecAction \ "id:'900014', \ phase:1, \ t:none, \ setvar:'tx.brute_force_protected_urls=#/user/user/login/#', \ setvar:'tx.brute_force_burst_time_slice=60', \ setvar:'tx.brute_force_counter_threshold=10', \ setvar:'tx.brute_force_block_timeout=300', \ nolog, \ pass" Wesley Render, IT Consultant, RHCSA Phone: 1.403.228.1221 ext 201 <http://www.otherdata.com/> www.otherdata.com <http://www.facebook.com/otherdata> From: Sabin Ranjit [mailto:think.sa...@gmail.com] Sent: August-21-14 10:39 AM To: Wesley Render Cc: owasp-modsecurity-core-rule-set@lists.owasp.org Subject: Re: [Owasp-modsecurity-core-rule-set] crs against brute force not working hi Wesley, I'm not using wordpress, I'm try to protect my application made in Yii framework and its login url looks like this: https://domainname.net/user/user/login/ how can I set brute_force_protected_urls value for this of url ? I tried few ways but it gave me syntax error. thanks, regards On Thu, Aug 21, 2014 at 9:36 PM, Wesley Render mailto:wren...@otherdata.com> > wrote: In your modsecurity_crs_10_setup.conf file you need to make sure to uncomment, and define the paths for your login page. You will notice the first line of the rule is commented out with a regular pound symbol. Then restart apache. Here is how mine looks. I set it up for WordPress and Drupal. It has been working well for WordPress brute force attempts: # # -- [[ Brute Force Protection ]] - # # If you are using the Brute Force Protection rule set, then uncomment the following # lines and set the following variables: # - Protected URLs: resources to protect (e.g. login pages) - set to your login page # - Burst Time Slice Interval: time interval window to monitor for bursts # - Request Threshold: request # threshold to trigger a burst # - Block Period: temporary block timeout # SecAction \ "id:'900014', \ phase:1, \ t:none, \ setvar:'tx.brute_force_protected_urls=#/wp-login.php# #/user#', \ setvar:'tx.brute_force_burst_time_slice=60', \ setvar:'tx.brute_force_counter_threshold=10', \ setvar:'tx.brute_force_block_timeout=300', \ nolog, \ pass" Wesley Render, IT Consultant, RHCSA Phone: 1.403.228.1221 ext 201 <http://www.otherdata.com/> www.otherdata.com <http://www.facebook.com/otherdata> From: owasp-modsecurity-core-rule-set-boun...@lists.owasp.org <mailto:owasp-modsecurity-core-rule-set-boun...@lists.owasp.org> [mailto:owasp-modsecurity-core-rule-set-boun...@lists.owasp.org <mailto:owasp-modsecurity-core-rule-set-boun...@lists.owasp.org> ] On Behalf Of Sabin Ranjit Sent: August-21-14 4:17 AM To: owasp-modsecurity-core-rule-set@lists.owasp.org <mailto:owasp-modsecurity-core-rule-set@lists.owasp.org> Subject: [Owasp-modsecurity-core-rule-set] crs against brute force not working hi, im using latest modsecurity rule set and i tried out crs_11_bruteforce from experimental rule. But its not working for me. I created a shortlink of it in the activated rules directory, restarted the apache and when i brute force my web application login page the modsecurity audit log dont give me any brute force warnings. what could be the problem? Im using burp suite pro version's intruder for brute forcing. can anyone point to helpful resource that i can follow? thanks. regards sabin ___ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
Re: [Owasp-modsecurity-core-rule-set] crs against brute force not working
naah!! I tried it, its not working for me. I used the value like that but when i do brute force attempt in the web application with random username and password it gives me nothing in the mod audit log. I'm using burp suit pro intruder for testing. Have you tried it besides wordpress? Wonder what I'm doing wrong. thanks anyway. cheers On Thu, Aug 21, 2014 at 11:43 PM, Wesley Render wrote: > I believe you would just set yours like this (Just include the URL after > the domain name)…. > > > > # > > # -- [[ Brute Force Protection ]] > - > > # > > # If you are using the Brute Force Protection rule set, then uncomment the > following > > # lines and set the following variables: > > # - Protected URLs: resources to protect (e.g. login pages) - set to your > login page > > # - Burst Time Slice Interval: time interval window to monitor for bursts > > # - Request Threshold: request # threshold to trigger a burst > > # - Block Period: temporary block timeout > > # > > SecAction \ > > "id:'900014', \ > > phase:1, \ > > t:none, \ > > setvar:'tx.brute_force_protected_urls=#/user/user/login/#', \ > > setvar:'tx.brute_force_burst_time_slice=60', \ > > setvar:'tx.brute_force_counter_threshold=10', \ > > setvar:'tx.brute_force_block_timeout=300', \ > > nolog, \ > > pass" > > > > > > > > [image: Otherdata_Logo_2011] > > *Wesley Render, IT Consultant, RHCSA* > > Phone: 1.403.228.1221 ext 201 > > www.otherdata.com > > > > [image: findonfacebook] <http://www.facebook.com/otherdata> > > > > *From:* Sabin Ranjit [mailto:think.sa...@gmail.com] > *Sent:* August-21-14 10:39 AM > *To:* Wesley Render > *Cc:* owasp-modsecurity-core-rule-set@lists.owasp.org > *Subject:* Re: [Owasp-modsecurity-core-rule-set] crs against brute force > not working > > > > hi Wesley, > > I'm not using wordpress, I'm try to protect my application made in Yii > framework and its login url looks like this: > https://domainname.net/user/user/login/ > > how can I set brute_force_protected_urls value for this of url ? I tried > few ways but it gave me syntax error. > > thanks, > > regards > > > > On Thu, Aug 21, 2014 at 9:36 PM, Wesley Render > wrote: > > In your modsecurity_crs_10_setup.conf file you need to make sure to > uncomment, and define the paths for your login page. You will notice the > first line of the rule is commented out with a regular pound symbol. Then > restart apache. Here is how mine looks. I set it up for WordPress and > Drupal. It has been working well for WordPress brute force attempts: > > > > # > > # -- [[ Brute Force Protection ]] > - > > # > > # If you are using the Brute Force Protection rule set, then uncomment the > following > > # lines and set the following variables: > > # - Protected URLs: resources to protect (e.g. login pages) - set to your > login page > > # - Burst Time Slice Interval: time interval window to monitor for bursts > > # - Request Threshold: request # threshold to trigger a burst > > # - Block Period: temporary block timeout > > # > > SecAction \ > > "id:'900014', \ > > phase:1, \ > > t:none, \ > > setvar:'tx.brute_force_protected_urls=#/wp-login.php# #/user#', \ > > setvar:'tx.brute_force_burst_time_slice=60', \ > > setvar:'tx.brute_force_counter_threshold=10', \ > > setvar:'tx.brute_force_block_timeout=300', \ > > nolog, \ > > pass" > > > > > > [image: Otherdata_Logo_2011] > > *Wesley Render, IT Consultant, RHCSA* > > Phone: 1.403.228.1221 ext 201 > > www.otherdata.com > > > > [image: findonfacebook] <http://www.facebook.com/otherdata> > > > > > > *From:* owasp-modsecurity-core-rule-set-boun...@lists.owasp.org [mailto: > owasp-modsecurity-core-rule-set-boun...@lists.owasp.org] *On Behalf Of *Sabin > Ranjit > *Sent:* August-21-14 4:17 AM > *To:* owasp-modsecurity-core-rule-set@lists.owasp.org > *Subject:* [Owasp-modsecurity-core-rule-set] crs against brute force not > working > > > > hi, > > im using latest modsecurity rule set and i tried out crs_11_bruteforce > from experimental rule. But its not working for me. I created a shortlink > of it in the activated rules directory, restarted the apache and when i > brute force my web application login page the modsecurity audit log dont > give me any brute force warnings. what could be the problem? Im using burp > suite pro version's intruder for brute forcing. > > can anyone point to helpful resource that i can follow? > > thanks. > > regards > > sabin > > > ___ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
Re: [Owasp-modsecurity-core-rule-set] crs against brute force not working
No. I have not actually tested it with other web software. Maybe try the following? * Make sure the modsecurity_crs_11_brute_force.conf is loading properly . Maybe you have made a mistake with symbolic link or putting the file in wrong folder. * Make sure you have uncommented the brute force rule in modsecurity_crs_10_setup.conf (By default it is commented out) * Maybe try changing your URL to include your actual web login file? I know they show it without pound symbols on each end. Like this: setvar:'tx.brute_force_protected_urls=/wp-login.php', \ Wesley Render, IT Consultant, RHCSA Phone: 1.403.228.1221 ext 201 <http://www.otherdata.com/> www.otherdata.com <http://www.facebook.com/otherdata> From: Sabin Ranjit [mailto:think.sa...@gmail.com] Sent: August-21-14 11:21 PM To: Wesley Render Cc: owasp-modsecurity-core-rule-set@lists.owasp.org Subject: Re: [Owasp-modsecurity-core-rule-set] crs against brute force not working naah!! I tried it, its not working for me. I used the value like that but when i do brute force attempt in the web application with random username and password it gives me nothing in the mod audit log. I'm using burp suit pro intruder for testing. Have you tried it besides wordpress? Wonder what I'm doing wrong. thanks anyway. cheers On Thu, Aug 21, 2014 at 11:43 PM, Wesley Render mailto:wren...@otherdata.com> > wrote: I believe you would just set yours like this (Just include the URL after the domain name)…. # # -- [[ Brute Force Protection ]] - # # If you are using the Brute Force Protection rule set, then uncomment the following # lines and set the following variables: # - Protected URLs: resources to protect (e.g. login pages) - set to your login page # - Burst Time Slice Interval: time interval window to monitor for bursts # - Request Threshold: request # threshold to trigger a burst # - Block Period: temporary block timeout # SecAction \ "id:'900014', \ phase:1, \ t:none, \ setvar:'tx.brute_force_protected_urls=#/user/user/login/#', \ setvar:'tx.brute_force_burst_time_slice=60', \ setvar:'tx.brute_force_counter_threshold=10', \ setvar:'tx.brute_force_block_timeout=300', \ nolog, \ pass" Wesley Render, IT Consultant, RHCSA Phone: 1.403.228.1221 ext 201 <http://www.otherdata.com/> www.otherdata.com <http://www.facebook.com/otherdata> From: Sabin Ranjit [mailto:think.sa...@gmail.com <mailto:think.sa...@gmail.com> ] Sent: August-21-14 10:39 AM To: Wesley Render Cc: owasp-modsecurity-core-rule-set@lists.owasp.org <mailto:owasp-modsecurity-core-rule-set@lists.owasp.org> Subject: Re: [Owasp-modsecurity-core-rule-set] crs against brute force not working hi Wesley, I'm not using wordpress, I'm try to protect my application made in Yii framework and its login url looks like this: https://domainname.net/user/user/login/ how can I set brute_force_protected_urls value for this of url ? I tried few ways but it gave me syntax error. thanks, regards On Thu, Aug 21, 2014 at 9:36 PM, Wesley Render mailto:wren...@otherdata.com> > wrote: In your modsecurity_crs_10_setup.conf file you need to make sure to uncomment, and define the paths for your login page. You will notice the first line of the rule is commented out with a regular pound symbol. Then restart apache. Here is how mine looks. I set it up for WordPress and Drupal. It has been working well for WordPress brute force attempts: # # -- [[ Brute Force Protection ]] - # # If you are using the Brute Force Protection rule set, then uncomment the following # lines and set the following variables: # - Protected URLs: resources to protect (e.g. login pages) - set to your login page # - Burst Time Slice Interval: time interval window to monitor for bursts # - Request Threshold: request # threshold to trigger a burst # - Block Period: temporary block timeout # SecAction \ "id:'900014', \ phase:1, \ t:none, \ setvar:'tx.brute_force_protected_urls=#/wp-login.php# #/user#', \ setvar:'tx.brute_force_burst_time_slice=60', \ setvar:'tx.brute_force_counter_threshold=10', \ setvar:'tx.brute_force_block_timeout=300', \ nolog, \ pass" Wesley Render, IT Consultant, RHCSA Phone: 1.403.228.1221 ext 201 <http://www.otherdata.com/> www.otherdata.com <http://www.facebook.com/otherdata> From: owasp-modsecurity-core-rule-set-boun...@lists.owasp.org <mailto:owasp-modsecurity-core-rule-set-boun...@lists.owasp.org> [mailto:owasp-modsecurity-core-rule-set-boun...@lists.owasp.org] On Behalf Of Sabin
Re: [Owasp-modsecurity-core-rule-set] crs against brute force not working
sorry, I checked out everything you have mentioned, it didnt work out for me. :( thanks for your replies, regards, On Fri, Aug 22, 2014 at 9:40 PM, Wesley Render wrote: > No. I have not actually tested it with other web software. Maybe try the > following? > > > > · Make sure the modsecurity_crs_11_brute_force.conf is loading > properly . Maybe you have made a mistake with symbolic link or putting the > file in wrong folder. > > · Make sure you have uncommented the brute force rule in > modsecurity_crs_10_setup.conf (By default it is commented out) > > · Maybe try changing your URL to include your actual web login > file? I know they show it without pound symbols on each end. Like this: > setvar:'tx.brute_force_protected_urls=/wp-login.php', \ > > > > > > [image: Otherdata_Logo_2011] > > *Wesley Render, IT Consultant, RHCSA* > > Phone: 1.403.228.1221 ext 201 > > www.otherdata.com > > > > [image: findonfacebook] <http://www.facebook.com/otherdata> > > > > *From:* Sabin Ranjit [mailto:think.sa...@gmail.com] > *Sent:* August-21-14 11:21 PM > > *To:* Wesley Render > *Cc:* owasp-modsecurity-core-rule-set@lists.owasp.org > *Subject:* Re: [Owasp-modsecurity-core-rule-set] crs against brute force > not working > > > > naah!! I tried it, its not working for me. I used the value like that but > when i do brute force attempt in the web application with random username > and password it gives me nothing in the mod audit log. I'm using burp suit > pro intruder for testing. > > Have you tried it besides wordpress? Wonder what I'm doing wrong. > > thanks anyway. > > cheers > > > > On Thu, Aug 21, 2014 at 11:43 PM, Wesley Render > wrote: > > I believe you would just set yours like this (Just include the URL after > the domain name)…. > > > > # > > # -- [[ Brute Force Protection ]] > - > > # > > # If you are using the Brute Force Protection rule set, then uncomment the > following > > # lines and set the following variables: > > # - Protected URLs: resources to protect (e.g. login pages) - set to your > login page > > # - Burst Time Slice Interval: time interval window to monitor for bursts > > # - Request Threshold: request # threshold to trigger a burst > > # - Block Period: temporary block timeout > > # > > SecAction \ > > "id:'900014', \ > > phase:1, \ > > t:none, \ > > setvar:'tx.brute_force_protected_urls=#/user/user/login/#', \ > > setvar:'tx.brute_force_burst_time_slice=60', \ > > setvar:'tx.brute_force_counter_threshold=10', \ > > setvar:'tx.brute_force_block_timeout=300', \ > > nolog, \ > > pass" > > > > > > > > [image: Otherdata_Logo_2011] > > *Wesley Render, IT Consultant, RHCSA* > > Phone: 1.403.228.1221 ext 201 > > www.otherdata.com > > > > [image: findonfacebook] <http://www.facebook.com/otherdata> > > > > *From:* Sabin Ranjit [mailto:think.sa...@gmail.com] > *Sent:* August-21-14 10:39 AM > *To:* Wesley Render > *Cc:* owasp-modsecurity-core-rule-set@lists.owasp.org > *Subject:* Re: [Owasp-modsecurity-core-rule-set] crs against brute force > not working > > > > hi Wesley, > > I'm not using wordpress, I'm try to protect my application made in Yii > framework and its login url looks like this: > https://domainname.net/user/user/login/ > > how can I set brute_force_protected_urls value for this of url ? I tried > few ways but it gave me syntax error. > > thanks, > > regards > > > > On Thu, Aug 21, 2014 at 9:36 PM, Wesley Render > wrote: > > In your modsecurity_crs_10_setup.conf file you need to make sure to > uncomment, and define the paths for your login page. You will notice the > first line of the rule is commented out with a regular pound symbol. Then > restart apache. Here is how mine looks. I set it up for WordPress and > Drupal. It has been working well for WordPress brute force attempts: > > > > # > > # -- [[ Brute Force Protection ]] > - > > # > > # If you are using the Brute Force Protection rule set, then uncomment the > following > > # lines and set the following variables: > > # - Protected URLs: resources to protect (e.g. login pages) - set to your > login page > > # - Burst Time Slice Interval: time interval window to monitor for bursts > > # - Request Threshold: request # threshold to trigger a
Re: [Owasp-modsecurity-core-rule-set] crs against brute force not working
Have you enabled the debug log for your test connections and reviewed the logs? Ryan Barnett Senior Lead Security Researcher, SpiderLabs Trustwave | SMART SECURITY ON DEMAND www.trustwave.com<http://www.trustwave.com/> From: Sabin Ranjit mailto:think.sa...@gmail.com>> Date: Tuesday, August 26, 2014 2:00 AM To: Wesley Render mailto:wren...@otherdata.com>> Cc: "owasp-modsecurity-core-rule-set@lists.owasp.org<mailto:owasp-modsecurity-core-rule-set@lists.owasp.org>" mailto:owasp-modsecurity-core-rule-set@lists.owasp.org>> Subject: Re: [Owasp-modsecurity-core-rule-set] crs against brute force not working sorry, I checked out everything you have mentioned, it didnt work out for me. :( thanks for your replies, regards, On Fri, Aug 22, 2014 at 9:40 PM, Wesley Render mailto:wren...@otherdata.com>> wrote: No. I have not actually tested it with other web software. Maybe try the following? · Make sure the modsecurity_crs_11_brute_force.conf is loading properly . Maybe you have made a mistake with symbolic link or putting the file in wrong folder. · Make sure you have uncommented the brute force rule in modsecurity_crs_10_setup.conf (By default it is commented out) · Maybe try changing your URL to include your actual web login file? I know they show it without pound symbols on each end. Like this: setvar:'tx.brute_force_protected_urls=/wp-login.php', \ [Otherdata_Logo_2011] Wesley Render, IT Consultant, RHCSA Phone: 1.403.228.1221 ext 201 www.otherdata.com<http://www.otherdata.com/> [findonfacebook]<http://www.facebook.com/otherdata> From: Sabin Ranjit [mailto:think.sa...@gmail.com<mailto:think.sa...@gmail.com>] Sent: August-21-14 11:21 PM To: Wesley Render Cc: owasp-modsecurity-core-rule-set@lists.owasp.org<mailto:owasp-modsecurity-core-rule-set@lists.owasp.org> Subject: Re: [Owasp-modsecurity-core-rule-set] crs against brute force not working naah!! I tried it, its not working for me. I used the value like that but when i do brute force attempt in the web application with random username and password it gives me nothing in the mod audit log. I'm using burp suit pro intruder for testing. Have you tried it besides wordpress? Wonder what I'm doing wrong. thanks anyway. cheers On Thu, Aug 21, 2014 at 11:43 PM, Wesley Render mailto:wren...@otherdata.com>> wrote: I believe you would just set yours like this (Just include the URL after the domain name)…. # # -- [[ Brute Force Protection ]] - # # If you are using the Brute Force Protection rule set, then uncomment the following # lines and set the following variables: # - Protected URLs: resources to protect (e.g. login pages) - set to your login page # - Burst Time Slice Interval: time interval window to monitor for bursts # - Request Threshold: request # threshold to trigger a burst # - Block Period: temporary block timeout # SecAction \ "id:'900014', \ phase:1, \ t:none, \ setvar:'tx.brute_force_protected_urls=#/user/user/login/#', \ setvar:'tx.brute_force_burst_time_slice=60', \ setvar:'tx.brute_force_counter_threshold=10', \ setvar:'tx.brute_force_block_timeout=300', \ nolog, \ pass" [Otherdata_Logo_2011] Wesley Render, IT Consultant, RHCSA Phone: 1.403.228.1221 ext 201 www.otherdata.com<http://www.otherdata.com/> [findonfacebook]<http://www.facebook.com/otherdata> From: Sabin Ranjit [mailto:think.sa...@gmail.com<mailto:think.sa...@gmail.com>] Sent: August-21-14 10:39 AM To: Wesley Render Cc: owasp-modsecurity-core-rule-set@lists.owasp.org<mailto:owasp-modsecurity-core-rule-set@lists.owasp.org> Subject: Re: [Owasp-modsecurity-core-rule-set] crs against brute force not working hi Wesley, I'm not using wordpress, I'm try to protect my application made in Yii framework and its login url looks like this: https://domainname.net/user/user/login/ how can I set brute_force_protected_urls value for thisof url ?I tried few ways but it gave me syntax error. thanks, regards On Thu, Aug 21, 2014 at 9:36 PM, Wesley Render mailto:wren...@otherdata.com>> wrote: In your modsecurity_crs_10_setup.conf file you need to make sure to uncomment, and define the paths for your login page. You will notice the first line of the rule is commented out with a regular pound symbol. Then restart apache. Here is how mine looks. I set it up for WordPress and Drupal. It has been working well for WordPress brute force attempts: # # -- [[ Brute Force Protection ]] - # # If you are using the Brute Force Protection rule set, then uncomment the following # lines and set the following variables: # - Protected URLs: resources to protect (e.g. login pages) - set to your login page # - Burst
