How do variables work about modsecurity HOT 5 CLOSED

@airween Thanks a lot:)

from modsecurity.

Hi @tiptop-crazy,

1. How long does variable live if expirevar doesn`t set? Does it live until transaction is checked by all the tules?

it depends on which backed you use. libmodsecurity3 provides two kinds of persistent storage:

• in-memory
• LMDB

If you use in-memory (if you don't use LMDB, which should added in ./configure step), then these collections are stored in memory. The data are available while the HTTP daemon runs. After a restart they will disappear.

If you use LMDB (you should compile the library with ./configure --with-lmdb), then the collections are stored in LMDB database, and if there is no expirevar then they will be there until you remove the database.

2. In case when expirevar for variable is specified. Does it somehow bind with source ip?

expirevar sets the time when the engine removes the variable from the storage. If you set the value 60, then it means the variable will expired 60s later when the rule was evaluated.

But i didn`t save client IP anywhere..

Sorry, what's your expectation? I mean where do you want to save the IP?

Moreover: have you initialized the collection with initcol?

from modsecurity.

Hi @airween ,

thanks for such a fast answer:)

#Sorry, what's your expectation? I mean where do you want to save the IP?

I have site (for istance testmodsec.test on 192.168.1.2, client1 192.168.1.3, client2 192.168.1.4). So i`m trying firure out, why do rules, discribed in my request work correctly:

1. they ban for 1 minute only client which sends malicius request
2. ban by ip (no matter which UA it uses)

And i almost figure out:

1. dispite i disabled all rules, exept 7777, 7778 and CRS 941100, i still have SecAction in Initialization:

SecAction \
    "id:901321,\
    phase:1,\
    pass,\
    t:none,\
    nolog,\
    ver:'OWASP_CRS/3.3.5',\
    initcol:global=global,\
    initcol:ip=%{remote_addr}_%{tx.ua_hash},\
    setvar:'tx.real_ip=%{remote_addr}'"

When i disable this SecAction, after getting 5 malicius requests from client1, client2 also gets 406.

2. also i have SecRule in initialization:

SecRule REQUEST_HEADERS:User-Agent "@rx ^.*$" \
    "id:901318,\
    phase:1,\
    pass,\
    t:none,t:sha1,t:hexEncode,\
    nolog,\
    ver:'OWASP_CRS/3.3.5',\
    setvar:'tx.ua_hash=%{MATCHED_VAR}'"

when i enable it:

1. they ban for 1 minute only client which sends malicius request
2. ban by ip
3. it matters which UA it uses

So, can u explain a bit more, how initcol works?

1. How long does collection live, cause SecCollectionTimeout isn`t supported in v3.
2. When i do initcol:ip=%{remote_addr}_%{tx.ua_hash} . Is it just a name of collection?
3. Are variables like ip.dangerous_activity connected with collection ip?

from modsecurity.

hi @tiptop-crazy,

just a quick answers (sorry):

• How long does collection live, cause SecCollectionTimeout isn`t supported in v3.

as I explained in my previous comment, if you don't use LMDB for collection database, de collections live until you restart your web server.

• When i do initcol:ip=%{remote_addr}_%{tx.ua_hash} . Is it just a name of collection?

We can say yes. In collection you can store a key:value pairs. If you take a look to TX collection (which is most used) you can see how to set a variable:

tx.foo='bar'

Now TX collection will have a variable where the key is foo and the value is bar.

But TX is a "special" collection, because it lives only through the transaction. Each transaction initializes (we can say automatically) a TX collection.

But the other collections are permanent, which means if the transaction is ended, then data are still there. It's easy to see that it must be distinguished, for eg. in case of IP collection you can choose the %{REMOTE_ADDR} (which is the client's IP) as a "sub-collection". TX.ua_hash is just a concatenated value, it's necessary if you want to distinguish the users behind a NAT. It can work if users use different UA's, but not if the UA's are the same.

• Are variables like ip.dangerous_activity connected with collection ip?

Yes, but as I wrote above you have to choose a "sub-collection" which you put that variable.

May be you should read this section: https://www.feistyduck.com/library/modsecurity-handbook-free/online/ch04-logging.html especially the "Selective Audit Logging" block.

from modsecurity.

You're welcome.

Feel free to close the issue if you don't have any questions.

from modsecurity.