Comments (5)
@airween Thanks a lot:)
from modsecurity.
Hi @tiptop-crazy,
- How long does variable live if
expirevar
doesn`t set? Does it live until transaction is checked by all the tules?
it depends on which backed you use. libmodsecurity3 provides two kinds of persistent storage:
- in-memory
- LMDB
If you use in-memory (if you don't use LMDB, which should added in ./configure
step), then these collections are stored in memory. The data are available while the HTTP daemon runs. After a restart they will disappear.
If you use LMDB (you should compile the library with ./configure --with-lmdb
), then the collections are stored in LMDB database, and if there is no expirevar
then they will be there until you remove the database.
- In case when
expirevar
for variable is specified. Does it somehow bind with source ip?
expirevar sets the time when the engine removes the variable from the storage. If you set the value 60
, then it means the variable will expired 60s later when the rule was evaluated.
But i didn`t save client IP anywhere..
Sorry, what's your expectation? I mean where do you want to save the IP?
Moreover: have you initialized the collection with initcol?
from modsecurity.
Hi @airween ,
thanks for such a fast answer:)
#Sorry, what's your expectation? I mean where do you want to save the IP?
I have site (for istance testmodsec.test on 192.168.1.2, client1 192.168.1.3, client2 192.168.1.4). So i`m trying firure out, why do rules, discribed in my request work correctly:
- they ban for 1 minute only client which sends malicius request
- ban by ip (no matter which UA it uses)
And i almost figure out:
- dispite i disabled all rules, exept 7777, 7778 and CRS 941100, i still have SecAction in Initialization:
SecAction \
"id:901321,\
phase:1,\
pass,\
t:none,\
nolog,\
ver:'OWASP_CRS/3.3.5',\
initcol:global=global,\
initcol:ip=%{remote_addr}_%{tx.ua_hash},\
setvar:'tx.real_ip=%{remote_addr}'"
When i disable this SecAction, after getting 5 malicius requests from client1, client2 also gets 406.
- also i have SecRule in initialization:
SecRule REQUEST_HEADERS:User-Agent "@rx ^.*$" \
"id:901318,\
phase:1,\
pass,\
t:none,t:sha1,t:hexEncode,\
nolog,\
ver:'OWASP_CRS/3.3.5',\
setvar:'tx.ua_hash=%{MATCHED_VAR}'"
when i enable it:
- they ban for 1 minute only client which sends malicius request
- ban by ip
- it matters which UA it uses
So, can u explain a bit more, how initcol works?
- How long does collection live, cause SecCollectionTimeout isn`t supported in v3.
- When i do initcol:ip=%{remote_addr}_%{tx.ua_hash} . Is it just a name of collection?
- Are variables like ip.dangerous_activity connected with collection ip?
from modsecurity.
hi @tiptop-crazy,
just a quick answers (sorry):
- How long does collection live, cause SecCollectionTimeout isn`t supported in v3.
as I explained in my previous comment, if you don't use LMDB for collection database, de collections live until you restart your web server.
- When i do initcol:ip=%{remote_addr}_%{tx.ua_hash} . Is it just a name of collection?
We can say yes. In collection you can store a key:value pairs. If you take a look to TX
collection (which is most used) you can see how to set a variable:
tx.foo='bar'
Now TX
collection will have a variable where the key is foo
and the value is bar
.
But TX
is a "special" collection, because it lives only through the transaction. Each transaction initializes (we can say automatically) a TX collection.
But the other collections are permanent, which means if the transaction is ended, then data are still there. It's easy to see that it must be distinguished, for eg. in case of IP
collection you can choose the %{REMOTE_ADDR}
(which is the client's IP) as a "sub-collection". TX.ua_hash
is just a concatenated value, it's necessary if you want to distinguish the users behind a NAT. It can work if users use different UA's, but not if the UA's are the same.
- Are variables like ip.dangerous_activity connected with collection ip?
Yes, but as I wrote above you have to choose a "sub-collection" which you put that variable.
May be you should read this section: https://www.feistyduck.com/library/modsecurity-handbook-free/online/ch04-logging.html especially the "Selective Audit Logging" block.
from modsecurity.
You're welcome.
Feel free to close the issue if you don't have any questions.
from modsecurity.
Related Issues (20)
- [BUG] multiMatch lead to unexpected match HOT 1
- Detect user agent and execute action HOT 1
- Bazel build on Windows HOT 4
- [FEATURE] Add a new `t:removeSQLComments` transformation HOT 2
- Mod3 ./configuration show missing HOT 2
- configure: error: PCRE2 was explicitly referenced but it was not found in v3.0.12 HOT 3
- Discussion about 'hostname' field in log HOT 9
- after scan coreruleset-main.zip by Microsoft defender for business version. HOT 2
- libModSecurity3: all triggered rule IDs sometimes won't be logged with anomaly scoring HOT 3
- Review and document multi-threading support and limitations HOT 4
- Hub f u HOT 1
- He
- The HOT 1
- rx: regex error 'MATCH_LIMIT' for pattern HOT 1
- When used in conjunction with nginx, requests to the root route are always loaded twice. HOT 4
- An error occurred when compiling and installing modsecurity HOT 3
- Query latest release returns a 2.x version rather than a 3.x version HOT 4
- mod_security2 v2.9.8 cannot be compiled with a specific CFLAG HOT 3
- ModSecurity GeoIP Lookup Issue with No Geo Data HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from modsecurity.