Comments (3)
Hi @no-sec-marko,
thanks for shared your idea.
I have had a very similar idea: monitoring a preset TX (or any custom) variable, and if it reaches the threshold, then terminate the transaction.
If you want to look up the number of triggered rules, then it's a bit problematic this way, because you must provide a method how to count the triggered rules (eg. I assume if you use CRS, you don't want to count the rules from crs-setup.conf
, REQUEST-901-INITIALIZATION.conf
, neither from any exclusions config).
But may be this idea can help you to reduce the number of unwanted triggering.
Please let me figure out how can we implement this, especially what would be the best way to configure these limits.
If anyone has an idea related to this feature, please share that here.
from modsecurity.
I'm not sure that the engine should stop processing rules. In CRS, the rule for blocking based on score is one of the last rules, so stopping to process would essentially skip blocking.
However, if post-processing is the issue, then it would suffice to limit the output to audit / error logs.
from modsecurity.
I do not really like the monitoring of a preset variable from a conceptual viewpoint.
If you want to block when a certain rule is triggered, then issue a deny
with the rule.
If you want to group rules together and block afterwards, then add a rule after the group and issue a deny
in this group.
I also second what @theseion stated: With a scoring rule set you can not simply stop processing and if you use ModSec to display additional information about a request in the logs in phase 5, then stopping to process a request effectively means you lack that information in the logs when you most need it.
I think this is a rules problems and it should be dealt with in the rules.
Circling back to the original reporter @no-sec-marko. Yes, this is a conceptual problem of every WAF. Given the WAF logs a ton of information it's like filling the access log of a webserver, but on steroids. You need to anticipate this when building your platform. The rule set could try to protect you, but the rule set is in a bad position to monitor its own execution and any monitoring would slow things down for the very rare case somebody tried to pull this of in the wild (I have never seen this obvious weakness being exploited).
from modsecurity.
Related Issues (20)
- Problem with logfile's name HOT 4
- SecStatusEngine should be "Off" in modsecurity.conf-recommended HOT 1
- SanitiseArg does not work in RequestBody
- SanitiseArg does not work in RequestBody HOT 5
- malloc error when executing make (debian11, nginx) HOT 11
- SecAuditLogFormat set to JSON prints logs in native format aswell HOT 7
- Debian package dependencies are broken HOT 10
- base64decode behaviour HOT 3
- NULL pointer checks & compiler warnings HOT 1
- SecGeoLookupDb /etc/nginx/geoip/GeoLite2-City.mmdb crashes ingress-controller if it cannot be read HOT 9
- Enhancement: Improve log statement for SecArgumentsLimit issue instead of JSON parsing error HOT 4
- SecRuleScript actions always considered disruptive HOT 1
- libmodsecurity3: Request body is not logged HOT 10
- How to disable some logs? HOT 27
- Annoying DNS queries with @rbl operator HOT 18
- SecAuditLogPart 'E' is logged even if it is not configured HOT 7
- Error: Could not set variable "ip.brute_force_counter" and Could not set variable "ip.xmlrpc_counter" as the collection does not exist. HOT 6
- Is it possible to change the SecAuditLogStorageDir variable so that the logs are sorted by vhost?
- Lua installed, but Modsecurity still dont work with it HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from modsecurity.