Description
Hi!
I'm trying to create some rules which use IP persistent collection.
First i tried with Nginx v1.14.0, ModSecurity-nginx master, ModSecurity v3.0.0 without lua or lmdb.
The collection initialized and I could make a counter. Like count every page load on the given uri.
But expirevar is not working. Which is very bad, if I try something like this on a production server.
After this I tried ModSecurity v3.0.2, with the same setup and configurations.
But in this case the rules previously worked are not working at all.
Operator like gt eq not working with that counter. I can't even get it value logged out.
I saw in the commits there were many changes related to collection naming since v3.0.0, but haven't found any example how should I use after these changes.
So my question is can you provide some example how to use IP collection in v3.0.2?
How can we change backend from in memory collection to other, like lmdb( or later to redist)?
Some example rules:
SecAction "phase:1,\
log,\
msg:'Collection intited for %{REMOTE_ADDR}',\
logdata:'Collection intited for %{REMOTE_ADDR}',\
pass,initcol:ip=%{REMOTE_ADDR},\
setvar:ip.counter=0,\
expirevar:ip.counter=30"
SecRule &IP:counter "eq 0" "id:4000,\
msg:'init filter',\
logdata:'initfilter',\
setvar:ip.counter=0,\
expirevar:ip.counter=30"
SecRule ARGS "attack" "id:401131,\
phase:2,\
setvar:ip.counter=+1,\
expirevar:ip.counter=15,\
log,\
msg:'Counter %{IP.counter} remote %{REMOTE_ADDR}',\
logdata:'Counter %{IP.counter} remote %{REMOTE_ADDR}'"
SecRule IP:counter "@eq 0" \
"id:401114,\
msg:'counter is 0',\
logdata:'counter is 0'"
SecRule IP:counter "@eq 1" \
"id:401115,\
msg:'counter equals to 1',\
logdata:'counter equals to 1'"
SecRule IP:counter "@gt 1" \
"id:401116,\
msg:'counter greater than 1',\
logdata:'counter greater than 1'"
SecRule IP:counter "@eq 6" \
"id:401117,\
msg:'this should be exipred',\
logdata:'expired',\
setvar:ip.counter=0,\
expirevar:ip.counter=1"