Git Product home page Git Product logo

Comments (3)

airween avatar airween commented on June 1, 2024

Hi @no-sec-marko,

thanks for shared your idea.

I have had a very similar idea: monitoring a preset TX (or any custom) variable, and if it reaches the threshold, then terminate the transaction.

If you want to look up the number of triggered rules, then it's a bit problematic this way, because you must provide a method how to count the triggered rules (eg. I assume if you use CRS, you don't want to count the rules from crs-setup.conf, REQUEST-901-INITIALIZATION.conf, neither from any exclusions config).

But may be this idea can help you to reduce the number of unwanted triggering.

Please let me figure out how can we implement this, especially what would be the best way to configure these limits.

If anyone has an idea related to this feature, please share that here.

from modsecurity.

theseion avatar theseion commented on June 1, 2024

I'm not sure that the engine should stop processing rules. In CRS, the rule for blocking based on score is one of the last rules, so stopping to process would essentially skip blocking.

However, if post-processing is the issue, then it would suffice to limit the output to audit / error logs.

from modsecurity.

dune73 avatar dune73 commented on June 1, 2024

I do not really like the monitoring of a preset variable from a conceptual viewpoint.

If you want to block when a certain rule is triggered, then issue a deny with the rule.

If you want to group rules together and block afterwards, then add a rule after the group and issue a deny in this group.

I also second what @theseion stated: With a scoring rule set you can not simply stop processing and if you use ModSec to display additional information about a request in the logs in phase 5, then stopping to process a request effectively means you lack that information in the logs when you most need it.

I think this is a rules problems and it should be dealt with in the rules.

Circling back to the original reporter @no-sec-marko. Yes, this is a conceptual problem of every WAF. Given the WAF logs a ton of information it's like filling the access log of a webserver, but on steroids. You need to anticipate this when building your platform. The rule set could try to protect you, but the rule set is in a bad position to monitor its own execution and any monitoring would slow things down for the very rare case somebody tried to pull this of in the wild (I have never seen this obvious weakness being exploited).

from modsecurity.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.