'[mod-security-users] About Brute Force Rules'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       mod-security-users
Subject:    [mod-security-users] About Brute Force Rules
From:       Wingless-Archangel <nataoh () gmail ! com>
Date:       2009-09-15 10:54:46
Message-ID: 3d1b6bea0909150354h5a608978v483919a337f45b2f () mail ! gmail ! com
[Download RAW message or body]

[Attachment #2 (multipart/alternative)]


Dear All,

I tried create rules for brute force:

SecAction initcol:ip=%{REMOTE_ADDR},nolog
# Blocked this IP if put invalid usr/passwd more than 10 times
SecRule RESPONSE_BODY "<div id='login_error'>" \

"log,phase:4,auditlog,setvar:ip.auth_attempt=+1,deprecatevar:ip.auth_attempt=3/200,msg:'Invalid
Login',tag:'Brute_Force'"
SecRule IP:AUTH_ATTEMPT "@gt 10" \
    "log,auditlog,drop,status:403,phase:1,msg:'Possible Brute Force
Attack',severity:'2',tag:'Brute_Force'"

after I tried brute force it's can detected the anomaly login but it can't
blocked after the IP:AUTH_ATTEMPT > 10.

What's wrong in my rules? Did I miss something?

Thanks a lot,

[Attachment #5 (text/html)]

Dear All,<br><br>I tried create rules for brute force:<br><br>SecAction \
initcol:ip=%{REMOTE_ADDR},nolog<br># Blocked this IP if put invalid usr/passwd more \
than 10 times<br>SecRule RESPONSE_BODY &quot;&lt;div \
id=&#39;login_error&#39;&gt;&quot; \<br>  \
&quot;log,phase:4,auditlog,setvar:ip.auth_attempt=+1,deprecatevar:ip.auth_attempt=3/200,msg:&#39;Invalid \
Login&#39;,tag:&#39;Brute_Force&#39;&quot;<br>SecRule IP:AUTH_ATTEMPT &quot;@gt \
10&quot; \<br>       &quot;log,auditlog,drop,status:403,phase:1,msg:&#39;Possible \
Brute Force Attack&#39;,severity:&#39;2&#39;,tag:&#39;Brute_Force&#39;&quot;<br> \
<br>after I tried brute force it&#39;s can detected the anomaly login but it \
can&#39;t blocked after the IP:AUTH_ATTEMPT &gt; 10.<br><br>What&#39;s wrong in my \
rules? Did I miss something?<br><br>Thanks a lot,<br>



------------------------------------------------------------------------------
Come build with us! The BlackBerry&reg; Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and stay 
ahead of the curve. Join us from November 9&#45;12, 2009. Register now&#33;
http://p.sf.net/sfu/devconf

_______________________________________________
mod-security-users mailing list
mod-security-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Appliances, Rule Sets and Support:
http://www.modsecurity.org/breach/index.html


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic