ModSecurity icon indicating copy to clipboard operation
ModSecurity copied to clipboard

Published 20 hours ago verified publisher icon owasp-modsecurity

modsecurity 3.0.x. What's the DeprecateVar alternative ?

Open mtricolici opened this issue 6 years ago • 7 comments

Question What's is 'DeprecateVar' alternative for modsecurity v3 ? I'm trying to implement some kind of rate limiting logic.

sample code SecAction "id:11,phase:1,setvar:ip.requests=+1,deprecatevar:ip.requests=4/1"

Logs and dumps

[emerg] 2102#2102: "modsecurity_rules" directive Rules error. File: <>. Line: 5. Column: 23. Action: DeprecateVar is not yet supported.

mtricolici avatar Oct 29 '18 15:10 mtricolici

Any progress towards the deprecatevar support? Is there any alternative to use in rules like brute force?

void-in avatar Jun 27 '20 10:06 void-in

Until deprecatevar is available in libModSecurity, the best strategy I can think of for comparable functionality is to:

  • in a separate variable, store the time when the next subtraction should occur
  • using TIME_EPOCH is probably a good candidate for the base, and then add the increment that you want
  • for a new request if the current TIME_EPOCH exceeds the stored time, then do the subtraction and store the result

martinhsv avatar Jan 20 '22 15:01 martinhsv

@martinhsv I tried to do what you suggested in the last comment.

SecAction "phase:1,id:100001,nolog,pass,setvar:user.ugmJRkZkjvEz=%{TIME_EPOCH}"

SecRule REQUEST_HEADERS:User-Agent "\Qopera\E"     "id:100003,phase:1,log,auditlog,setuid:%{tx.ua_hash},setvar:user.ugmJRkZkjvEz=+5"
SecRule user:ugmJRkZkjvEz "@gt %{TIME_EPOCH}" "chain,id:100004,phase:1,auditlog,deny,status:429,setenv:RATELIMITED,log,msg:'RATELIMITED User-Agent'"
            SecRule REQUEST_HEADERS:User-Agent "\Qopera\E"

The problem is, for each request user.ugmJRkZkjvEz gets set to the current TIME_EPOCH. How can I make sure that this variable user.ugmJRkZkjvEz gets initialized just once while nginx starts. Or do you have a better way?

nagri avatar Oct 03 '22 09:10 nagri

@mtricolici @void-in were you able to figure this out?

nagri avatar Oct 04 '22 05:10 nagri

Hello @nagri ,

Regarding your specific question about setting a variable only once:

One way to do this is to test for the existence of the variable by using the special operator '&' (the 'count' operator). For example, assuming the IP collection has already been initialized via initcol, one could test whether a particular variable has ever been set for that IP:

SecRule &IP.expiry "@eq 0" ...

Note that the earliest one can set a variable is when the first HTTP request is processed (as that's when rules will be executed).

martinhsv avatar Oct 04 '22 21:10 martinhsv

@nagri no. I don't use modsecurity anymore :(

mtricolici avatar Nov 01 '22 09:11 mtricolici

Any News !?

Elyasnz avatar Jan 06 '23 08:01 Elyasnz