Activity for ModSecurity

Harikisan posted a comment on discussion Open Discussion

Harikisan — Sun, 28 Jul 2024 07:15:55 -0000

Hi All, We are using the Apache server in our production environment. We want to upgrade modsecurity to latest version(old ModSecurity (v2.x.x)) but ModSecurity (v2.x.x) release the last version (v2.9.7) in Jan 5, 2023 from then there is not any release for v2.x.x. ModSecurity (V2.9.7) has vulnerabilities. We want to know When will v2.9.8 be released with security fixes?

Harikisan posted a comment on discussion Open Discussion

Harikisan — Sun, 28 Jul 2024 07:14:57 -0000

Hi All, We are using the Apache server in our production environment. To use ModSecurity V3 (libmodsecurity), we need to use the ModSecurity-apache connector. This project is under development and not production-ready. The functionality is not complete, so we cannot use use with Apache HTTP Server. When can we expect it to be complete?

Lorenzo Corgnati posted a comment on discussion Rules

Lorenzo Corgnati — Thu, 08 Feb 2024 16:36:48 -0000

Hi everybody, I have installed ModSecurity on a XUbuntu 22.04 virtual machine running ERDDAP and ncWMS for data distribution. I installed ModSecurity via apt install libapache2-mod-security2 and then I enabled it via a2enmod security2 I have then installedOWASP Core ùruel Set v3.3.0. While running ERDDAP I noticed that the queries for requesting data were blocked if containing '(' or ')' characters. Is this a bug or should I set a rule for this? If the latter is the case, how the rule should be set?...

sunny lin posted a comment on discussion Help

sunny lin — Fri, 20 May 2022 09:47:51 -0000

Hi I can't find the" CSRF rule" in OWASP® ModSecurity Core Rule Set (CRS) version 3.2.0, but I find it in version 2.2.9. I wonder can I use both the rule of version 3.2.0 and version 2.2.9 in the same time? Best Regards

sunny lin posted a comment on discussion Help

sunny lin — Fri, 20 May 2022 07:04:23 -0000

I can't find the" CSRF rule" in OWASP® ModSecurity Core Rule Set (CRS) version 3.3.2, but I find it in version 2.2.9. I wonder is "Cross-site request forgery" still could be protected against by OWASP® ModSecurity Core Rule Set (CRS) 3.3.2 version? If no, can I use both the rule of version 3.3.2 and version 2.2.9 in the same time? Best Regards

Franklin Weng posted a comment on discussion Installation and Configuration

Franklin Weng — Wed, 27 Apr 2022 07:15:25 -0000

Hi, A problem has bothered us for several weeks and would like to get help here. We installed a fresh Windows 2019 (Datacenter) server with a whole new IIS server. Then we installed ModSecurity 2.9.5 WIndows version. It was installed successfully, but when we then connect to http://localhost what we got is 503 error. And the log in IIS showed "Can not load C:\Windows\System32\inetsrv\ModSecurityIIS.dll, data is the error" (translated back from Chinese). I've searched plenty of pages including issues...

Paul Ashby posted a comment on discussion Installation and Configuration

Paul Ashby — Sun, 28 Nov 2021 14:51:26 -0000

I'm having a problem with cookies set by the Metorik WordPress plugin triggering Comodo rule 218500. It's a known issue, but I'd obviously prefer not to disable the rule across the board. Is there some directive I can use to whitelist just the cookies that cause the issue? I tried the solution detailed here with this directive: secRuleUpdateTargetById 218500 !REQUEST_COOKIES:/^ sbjs_first/ but that gave the following error message Error to update target - [\x80\xd3\xed\x90-V] is not valid target...

Karthik Sirimalla posted a comment on discussion Rules

Karthik Sirimalla — Tue, 06 Apr 2021 09:51:53 -0000

Hi Taylor, Thanks for the response. Please see attached 'modsecurity - simplified.log' or 'modsecurity.log'. Simplified log has REQUEST_BODY content trimmed as the actual 'modsecurity.log' is huge.

Taylor posted a comment on discussion Rules

Taylor — Tue, 06 Apr 2021 09:19:13 -0000

Show your data of REQUEST_BODY please,so maybe I can write rules to help you. On 4/5/2021 16:27，Karthik Sirimallakarthik1@users.sourceforge.net wrote： We are using ModSecurity CRS 3.0.2 and need to exclude rule 930110 which blocks requests if it contains patterns '../' and '..\'(Path Traversal Attack). If we attach a file while submitting the request, this pattern gets matched frequently and request is blocked which we want to avoid. I was able to exclude the REQUEST_BODY using below: SecRuleUpdateTargetById...

Karthik Sirimalla posted a comment on discussion Rules

Karthik Sirimalla — Mon, 05 Apr 2021 08:27:46 -0000

We are using ModSecurity CRS 3.0.2 and need to exclude rule 930110 which blocks requests if it contains patterns '../' and '..\'(Path Traversal Attack). If we attach a file while submitting the request, this pattern gets matched frequently and request is blocked which we want to avoid. I was able to exclude the REQUEST_BODY using below: SecRuleUpdateTargetById 930110 "!REQUEST_BODY" Is there a way to exclude just the attachment and scan rest of the REQUEST_BODY? If not, can we identify if REQUEST_BODY...

Alexey Efremov modified a comment on discussion Help

Alexey Efremov — Tue, 30 Mar 2021 21:15:37 -0000

Dear Sirs, We are designing an application that will process incoming connections using the FIX protocol (https://www.fixtrading.org/standards). Can ModSecurity be used to protect the back-end application from potential attacks, validating incoming FIX messages? Can ModSecurity be configured to parse FIX messages with low latency ? Thx! FIX Trading Community (https://www.fixtrading.org/standards/) FIX Standards • FIX Trading Community

Alexey Efremov posted a comment on discussion Help

Alexey Efremov — Tue, 30 Mar 2021 21:12:55 -0000

Hello! We are designing an application that will process incoming connections using the FIX protocol (https://www.fixtrading.org/standards). Can ModSecurity be used to protect the back-end application from potential attacks, validating incoming FIX messages? Can ModSecurity be configured to parse FIX messages with low latency ? Thx! FIX Trading Community (https://www.fixtrading.org/standards/) FIX Standards • FIX Trading Community

Carlos posted a comment on discussion Rules

Carlos — Sat, 20 Feb 2021 21:04:03 -0000

Hi guys, I am new to using mod_security, I installed a LAMP server and wanted to secure it with mod_security, but it is giving me problems with Owncloud application. I've been reading the instructions for use, but I can't get mod_security to block Owncloud syncing. I have seen that there are specific rules for some applications including a very similar Nextcloud, but as I have commented, I can't get it to work. I tried different solutions that I had seen on the internet and different forums, but...

Dario Vanin posted a comment on discussion Installation and Configuration

Dario Vanin — Mon, 15 Feb 2021 23:48:20 -0000

I also noticed that I have an issue when I try Curl and I wonder if the issue could be HTTP2 with modsecurity... curl --insecure https://devfe:443 curl: (92) HTTP/2 stream 0 was not closed cleanly: PROTOCOL_ERROR (err 1)

Dario Vanin posted a comment on discussion Installation and Configuration

Dario Vanin — Mon, 15 Feb 2021 22:58:11 -0000

Hi guys, I have installed modsecurity and it works great on Chrome and Firefox on my Mac. Unfortunately when I the website on Mac/Safari I get the following error message: Safari can’t open the page “REMOVED”. The error is: “cannot parse response” (NSURLErrorDomain:-1017) On my Iphone, when I open it on Chrome I get the following error: This site can’t be reachedThe web page at REMOVED might be temporarily down or it may have moved permanently to a new web address. ERR_INVALID_RESPONSE Everything...

Amin El-Zein posted a comment on discussion Installation and Configuration

Amin El-Zein — Sat, 13 Feb 2021 17:18:23 -0000

Hello, i installed apache2.4 with modsecurity under freebsd , when i add rule files that is contain for example: SecRuleRemoveById 390703 SecRuleRemoveById 390703 SecRuleRemoveById 390703 the apache give me invalid input error. so where is the problem ?

Anders Rosvall posted a comment on discussion Installation and Configuration

Anders Rosvall — Wed, 10 Feb 2021 22:33:37 -0000

I found out what caused the problem, (SSL) handshake timeout. I needed to increase the timeout in reqtimeout.conf like this: RequestReadTimeout header=20-50,minrate=400 body=20-50,MinRate=400 Now problem gone.

Anders Rosvall modified a comment on discussion Installation and Configuration

Anders Rosvall — Mon, 01 Feb 2021 15:18:34 -0000

I have a issue with modsecurity. In the error log I get a lot of - ModSecurity: Error reading request body: Software caused connection abort My setup: Debian 10 (buster) Apache 2.4.38 Modsecurity 2.9.3 Owasp-modsecurity-crs 3.3.0 Internet --> Firewall --> WAF(debian/apache/modsecurity proxy) --> webshop server(Prestashop webshop) I've searched and found very little info. I've tried to increase these variables, now they are four times the original but no difference: SecRequestBodyLimit 52428800 SecRequestBodyNoFilesLimit...

Anders Rosvall posted a comment on discussion Installation and Configuration

Anders Rosvall — Mon, 01 Feb 2021 12:40:54 -0000

Ian Ace Macaraeg posted a comment on discussion Help

Ian Ace Macaraeg — Mon, 30 Nov 2020 02:55:00 -0000

Hi, I have activated the modsecurity but still detect the SQL injection and File Inclusion. Is there any configuration need to be updated? Thanks!

Nesamani posted a comment on discussion Help

Nesamani — Thu, 05 Nov 2020 18:18:35 -0000

Hi All, I want to do URI based rate limiting in modsecurity. There are two rates that have to be kept track of, one is the overall rate and the other is the site specific rate. Can someone please translate the below pseudocode into modsecurity code? I am new to modsecurity. Pseudocode: when HTTP_REQUEST { if { HTTP_URI starts_with "/ms/site/" } { $site = get_third_field_from_HTTP-URI #if HTTP_URI = /ms/site/abcorp/123, then get "abcorp" $overall_rate = some_number $overall_limit = some_number $per_site_rate...

Simon posted a comment on discussion Installation and Configuration

Simon — Tue, 23 Jun 2020 13:16:54 -0000

Hi First time user of mod security, just installed ModSecurity v2.9.3 for IIS MSI Installer - 64bits on a Windows Server 2012 High traffic website I log into the site, refresh the page, its fast refresh the page, slow loading refresht the page, fast refresh the page, total stall, wont even load, completely stuck refresh the page, slow loading refresh the page, fast again.... if I disable modsecurity in the web config to turn it off for the site, its back to super fast again I really want to use this...

Taylor posted a comment on discussion Rules

Taylor — Thu, 20 Feb 2020 08:59:34 -0000

You can add this rule to the rule file which name is 'REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf'： SecRule SERVER_NAME "lync-external.mydomain.com$" "id:1000,phase:1,pass,nolog,ctl:ruleRemoveTargetById=980130". This means if the hostname is 'lync-external.mydomain.com',then disable the rule which id is 980130. At 2020-02-18 23:48:22, "End User" geico234@users.sourceforge.net wrote: I searched google and was unable to find anything with this, appears to be blocked due to sql injection. [Tue Feb 18...

Taylor posted a comment on discussion Rules

Taylor — Thu, 20 Feb 2020 08:48:15 -0000

No matter where the files come from,when a file is uploaded through HTTP, only the file name and contents will be included in the data package,unless you modify your program,take the dir of the file as one of the parameters and pass it to the background. At 2020-02-18 16:50:45, "rres-admin" rres-admin@users.sourceforge.net wrote: Taylor, thanks for the reply. I should have mentioned that Apache is used as reverse proxy to several target servers.....In fact the upload/download of files is from/to...

End User modified a comment on discussion Rules

End User — Tue, 18 Feb 2020 15:49:04 -0000

I searched google and was unable to find anything with this, appears to be blocked due to sql injection. [Tue Feb 18 09:41:44.305146 2020] [:error] [pid 24930] [client x.x.x.x:55593] [client x.x.x.x] ModSecurity: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/usr/share/modsecurity-crs/rules/RESPONSE-980-CORRELATION.conf"] [line "86"] [id "980130"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 10 - SQLI=0,XSS=0,RFI=0,LFI=0,RCE=0,PHPI=0,HTTP=0,SESS=0): Request content...

End User posted a comment on discussion Rules

End User — Tue, 18 Feb 2020 15:48:21 -0000

rres-admin posted a comment on discussion Rules

rres-admin — Tue, 18 Feb 2020 08:50:44 -0000

Taylor, thanks for the reply. I should have mentioned that Apache is used as reverse proxy to several target servers.....In fact the upload/download of files is from/to the target proxied server and NOT from Apache local dir. I receive the 413 code, because Apache does not allow files larger than 12.5Mb from/to target server which is proxied through. '/mydir' resides on the target server and I would like to allow larger just to this specific server/dir whilst the other proxied servers remain with...

Taylor posted a comment on discussion Rules

Taylor — Tue, 18 Feb 2020 03:30:27 -0000

You mean the files come from local directory '/mydir'？That won't work because the local address of the source file is not transferred to the server when the file is uploaded，only the file name and contents will be delivered to the server. I suggest you change your mind and use ctl:requestBodyLimit by judging the login user in SESSION. At 2020-02-18 00:48:59, "ric greg" rres-admin@users.sourceforge.net wrote: Hi all, We have an Apache server 2.4.6 running md_security 2.9.2 on CentOS 7. /etc/httpd/conf.d/mod_security.confSecRuleEngineOnSecRequestBodyAccessOnSecRuleREQUEST_HEADERS:Content-Type"text/xml"\"id:'200000',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML"SecRequestBodyLimit13107200"...

rres-admin posted a comment on discussion Rules

rres-admin — Mon, 17 Feb 2020 16:48:59 -0000

Hi all, We have an Apache server 2.4.6 running md_security 2.9.2 on CentOS 7. /etc/httpd/conf.d/mod_security.conf SecRuleEngine On SecRequestBodyAccess On SecRule REQUEST_HEADERS:Content-Type "text/xml" \ "id:'200000',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML" SecRequestBodyLimit 13107200" I need to create a rule that overrides this 12.5Mb file limit when files come from directory '/mydir' For some reason I cannot make this work. I have tried the following on file: /etc/httpd/modsecurity.d/modsecurity_crs_15_customrules.conf...

Taylor posted a comment on discussion Installation and Configuration

Taylor — Tue, 24 Dec 2019 06:05:18 -0000

ModSecurity is just one module for web server(Apache,Nginx,IIS),the only thing you need worry about is the website traffic your server can support At 2019-12-23 18:38:52, "Thanh" jonny1304@users.sourceforge.net wrote: Hi guys, I need install mod_security on my server. So I have some question: + Minimum hardware requirements ( i have CPU: 1x Xeon 8C E5-2630 v3 85W 2.4GHz/1866MHz/20MB RAM: 1x16GB PC4-17000 DDR4 2133MHz), is it good enough ? Thanks for your help. Minimum hardware requirements (modsecurity)...

Jonny posted a comment on discussion Rules

Jonny — Mon, 23 Dec 2019 10:42:56 -0000

Hi, I need to know can modsecurity do all of these requirement: - Automated Learning of User and Application Behavior - Research-Driven Security Policies - Flexible Deployment Options - Deep Threat Intelligence - Virtual Patching - HTTP Protocol, Platform, and XML Protection - Granular Correlation Policies Reduce False Positives - Customizable Reports for Compliance and Forensics - Out-of-the-box SIEM Integration" Thanks for your help

Jonny posted a comment on discussion Installation and Configuration

Jonny — Mon, 23 Dec 2019 10:38:51 -0000

Hi guys, I need install mod_security on my server. So I have some question: + Minimum hardware requirements ( i have CPU: 1x Xeon 8C E5-2630 v3 85W 2.4GHz/1866MHz/20MB RAM: 1x16GB PC4-17000 DDR4 2133MHz), is it good enough ? Thanks for your help.

Ravi Yellaram posted a comment on discussion Help

Ravi Yellaram — Tue, 29 Oct 2019 09:46:54 -0000

Hi , We are facing Internal Server Error with below mentioned Multipart Strict error configuration parameters mentioned in modsecurity.conf file Message: Access denied with code 44 (phase 2). Match of "eq 0" against "MULTIPART_STRICT_ERROR" required. [file "/XXXX/XXXX/XXXX/modsecurity.conf"] [line "82"] [id "3"] [msg "Multipart request body failed strict validation: PE 0, BQ 0, BW 0, DB 1, DA 0, HF 0, LF 0, SM , IQ 0, IH 0, IH 0"] Apache-Error: [file "http_request.c"] [line 107] [level 3] AH01579:...

Ahmed Ali posted a comment on discussion Installation and Configuration

Ahmed Ali — Mon, 28 Oct 2019 15:01:30 -0000

Hi, We've implemented ModSecurity commercial rules on our API gateway server, and during a POST request that upload a PDF file, the request was blocked by this rule: BOTNET: "SLR: Common IRC Botnet Attack Command String Identified" The request was showing the below error: ModSecurity: Access denied with code 403 (phase 2). Matched "Operator Pm' with parameter !tum !zero !lfi !rfi !e107 !sql !osco !zen !adm !op !oscoo !sqle !whmz !cmdlfi !cmde107 !cmdxml' against variable `REQUEST_BODY' form-data;...

Sachin Deshpande posted a comment on discussion Rules

Sachin Deshpande — Wed, 11 Sep 2019 10:41:36 -0000

Hell All, I am new to modsecurity. I have a leagcy server solution using Nginx with no modsecurity. All the data is being recived on 443 port with self signed certificated with no authentication for https connection. Now I want to use modsecurity for this applicaion. I have installed modsecurity with Nginx. When I try to open the ssl connection with the same self signed certificates then the connecection is not opened and I am getting SSL connection failed with 600 as error. It seems that the error...

johan modified a comment on discussion Installation and Configuration

johan — Tue, 03 Sep 2019 08:03:07 -0000

Duplicate, sorry!

johan posted a comment on discussion Installation and Configuration

johan — Mon, 02 Sep 2019 12:17:33 -0000

Hello, I was wondering if someone has stumbled across a similar issue. I have a web applications running Modsec and the apache error log only logs IDS 949110, 980130. No other IDs are logged at all which makes evaluating false positives quite difficult. I feel as this is not related to the error log format since I have a second application working correctly with the same format. Any help is greatly appreciated. Thank you! 949110 980130 [Sun Sep 01 07:17:30.255322 2019] [:error] [pid 5029] [client...

johan posted a comment on discussion Installation and Configuration

johan — Mon, 02 Sep 2019 11:08:29 -0000

Hello, I was wondering if someone has stumbled across a similar issue. I have a web applications running Modsec and the apache error log only logs IDS 949110, 980130. No other IDs are logged at all which makes evaluating false positives quite difficult. I feel as this is not related to the error log format since I have a second application working correctly with the same format. Any help is greatly appreciated. Thank you! [Sun Sep 01 07:17:30.255322 2019] [:error] [pid 5029] [client ] [client ] ModSecurity:...

Chaim Sanders posted a comment on discussion Installation and Configuration

Chaim Sanders — Tue, 28 May 2019 19:19:06 -0000

These are Comodo's rules, you'll have to reach out to them for support. Thanks! On Tue, May 28, 2019 at 1:49 AM Ehsan Javidi javidi@users.sourceforge.net wrote: Hi There is a strange problem with the site that the mode Security plugin has blocked. The plugin recognizes the site's address as an injection! WAF error: http://oneclickpaste.com/9311/ domian: wordpress@amlakeparand.com Data has the following conditions: 1- has "<" first 2- has "and." somewhere after 1 3- has ">" somewhere after 2 regular...

Ehsan Javidi posted a comment on discussion Installation and Configuration

Ehsan Javidi — Tue, 28 May 2019 08:49:47 -0000

Hi There is a strange problem with the site that the mode Security plugin has blocked. The plugin recognizes the site's address as an injection! WAF error: http://oneclickpaste.com/9311/ domian: wordpress@amlakeparand.com Data has the following conditions: 1- has "<" first 2- has "and." somewhere after 1 3- has ">" somewhere after 2 regular expression detected! .<.and..*>

Chaim Sanders posted a comment on discussion Installation and Configuration

Chaim Sanders — Sun, 14 Apr 2019 21:23:33 -0000

Glad you got it working :) On Sun, Apr 14, 2019, 11:42 AM Escher Penrose penrose@users.sourceforge.net wrote: Great ! It work fine In crs-setup.conf i change SecDefaultAction "phase:1,log,auditlog,pass" SecDefaultAction "phase:2,log,auditlog,pass" by SecDefaultAction "phase:1,logdata:%{request_headers.host},log,auditlog,pass" SecDefaultAction "phase:2,logdata:%{request_headers.host},log,auditlog,pass" And i obtain: [client x.x.x.x] ModSecurity: Access denied with code 403 (phase 2). Operator GE matched...

posted a comment on discussion Installation and Configuration

Sun, 14 Apr 2019 18:42:12 -0000

Great ! It work fine In crs-setup.conf i change SecDefaultAction "phase:1,log,auditlog,pass" SecDefaultAction "phase:2,log,auditlog,pass" by SecDefaultAction "phase:1,logdata:%{request_headers.host},log,auditlog,pass" SecDefaultAction "phase:2,logdata:%{request_headers.host},log,auditlog,pass" And i obtain: [client x.x.x.x] ModSecurity: Access denied with code 403 (phase 2). Operator GE matched 5 at TX:anomaly_score. [file "C:\/Program Files/ModSecurity IIS/owasp_crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf"]...

posted a comment on discussion Installation and Configuration

Sun, 14 Apr 2019 11:12:11 -0000

Thanks Chaim. I had another answer that it was hard coded. I also asked my question in the issues of ModSecurity. I try your solution, I wait also for the third answer and I tell you where I'm :D Have a nice day Regards

Chaim Sanders posted a comment on discussion Installation and Configuration

Chaim Sanders — Sat, 13 Apr 2019 17:09:59 -0000

This can be done! You'd want to capture the value of REQUEST_HEADERS:Host and add it to one of the output areas https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-(v2.x)#request_headers. I'd recommend something like "logdata:%{MY_HOST_HEADER}" ( https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-(v2.x)#logdata ). Now the real key here is that since you're using CRS, you'll want to change the action of all those rules to include this logdata. The recommended approach is to...

posted a comment on discussion Installation and Configuration

Sat, 13 Apr 2019 09:24:08 -0000

Hello, I'm using Mod Security 2.9.3 with IIS 10. It works well but I can’t distinguish the impacted site in the message generated in the EventLog. Here an example: [client x.x.x.x] ModSecurity: Warning. detected XSS using libinjection. [file "C:\/Program Files/ModSecurity IIS/owasp_crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line "64"] [id "941100"] [rev "2"] [msg "XSS Attack Detected via libinjection"] [data "Matched Data: found...

OlympiaLady posted a comment on discussion Installation and Configuration

OlympiaLady — Wed, 03 Apr 2019 22:30:51 -0000

We have a nginx system that does very simple load balancing. Clients contact the proxy server, and are round robined to other systems. I would like to change this setup to a reverse proxy with nginx and ModSecurity. Is it possible to both install nginx integrated with modsecurity and use my same simple load balancing? If not, can I do this with the ModSecurity Apache reverse proxy using mod_proxy_balancer at the same time? The ngnix setup is somthing like: http { upstream myapp1 { server srv1.example.com;...

Alex Kyrlis posted a comment on discussion Installation and Configuration

Alex Kyrlis — Wed, 02 Jan 2019 16:20:57 -0000

Hello, We are filtering body POST data for certain strings. They are mostly Greek characters. When rules are triggered, the strings do not appear as UTF8. This is an example of what we get on logs: \xce\xb8\xce\xb1 \xce\xb4\xce\xb7 Is it possible to show them properly? Thanks Alex

Alex Kyrlis posted a comment on discussion Installation and Configuration

Alex Kyrlis — Wed, 02 Jan 2019 15:23:55 -0000

Hello, I'm using Mod Security with IIS 10. When a rule is triggered, mod security creates an event log on event viewer on Windows. This log contais the REMOTE_ADDR value, but since we are behind a proxy (Cloudflare) i would like it to log a custom header (HTTP_CF_Connecting_IP) so we get the real client IP. Is it possible to do that? Thanks Alex

Mat posted a comment on discussion Help

Mat — Thu, 06 Dec 2018 21:56:51 -0000

Hi, I was wondering if ModSecurity can re-write the REQUEST_BODY of an XML request (or RESPONSE_BODY for that fact)? If so, how can it be accomplished? Below are more details; I have an application who's manufacturer went out of business. In the outgoing (or incoming) XML SOAP request, I need to put one of the variables to lowercase. I am using IIS 7 I have found a post about processing text/xml request_body: https://serverfault.com/questions/727596/mod-security-how-to-process-text-xml-request-body...

Thomas Morgenstern-Jehia modified a comment on discussion Installation and Configuration

Thomas Morgenstern-Jehia — Fri, 16 Nov 2018 15:16:20 -0000

Information about the system environment: - Advanced ModSecurity rules from Atomicorp (Thorough) - Ubuntu 16.04.5 LTS - Plesk Onyx Version 17.8.11 Update # 30 - Nextcloud 14.03 I often have these or similar error messages in the logfile. But I can not find any ID that I can use to disable this rule. The entries [xxx] have been changed by me here. --5bf1b05a-A-- [15 / Nov / 2018: 19: 41: 35 +0100] W @ 2931Gp6DgAAC9PSpAAAAAB 95.90.239.156 58042 81.169.232.56 7081 --5bf1b05a-B-- OPTIONS /remote.php/dav/principals/users/[xxx]/...

Thomas Morgenstern-Jehia modified a comment on discussion Installation and Configuration

Thomas Morgenstern-Jehia — Fri, 16 Nov 2018 15:14:59 -0000

Information about the system environment: - Advanced ModSecurity rules from Atomicorp (Thorough) - Ubuntu 16.04.5 LTS - Plesk Onyx Version 17.8.11 Update # 30 I often have these or similar error messages in the logfile. But I can not find any ID that I can use to disable this rule. The entries [xxx] have been changed by me here. --5bf1b05a-A-- [15 / Nov / 2018: 19: 41: 35 +0100] W @ 2931Gp6DgAAC9PSpAAAAAB 95.90.239.156 58042 81.169.232.56 7081 --5bf1b05a-B-- OPTIONS /remote.php/dav/principals/users/[xxx]/...

Thomas Morgenstern-Jehia posted a comment on discussion Installation and Configuration

Thomas Morgenstern-Jehia — Fri, 16 Nov 2018 15:14:09 -0000

widianto posted a comment on discussion Help

widianto — Wed, 14 Nov 2018 10:25:45 -0000

the default log will store on /var/log/modsec_audit.log, it will store everything to /var/log/modsec_audi.log and the issue is we hard to read every log one by one to check the false positive for every website. My question is, is there away to log modsec by Vhosts ? Thanks for your help.

Brad posted a comment on discussion Rules

Brad — Sun, 23 Sep 2018 00:55:21 -0000

Thanks Victor for the reply, I've now changed the behaviour to "traditional" and seeing the exptected results. Cheers

Victor Hora posted a comment on discussion Rules

Victor Hora — Sat, 22 Sep 2018 21:24:35 -0000

Hi, Make sure that your SecRuleEngine https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-%28v2.x%29#SecRuleEngine directive is set to "on". If it's "DetectionOnly" or "off" you will only get warnings. I haven't gone through all of your logs, but the way that the OWASP CRS works by default is using the approach of "delayed blocking", meaning that a number of rules can match and only cause warnings, but each rule that match gets added to a score. After all the rules are evaluated the final...

Brad posted a comment on discussion Rules

Brad — Thu, 20 Sep 2018 22:45:52 -0000

anyone

Brad modified a comment on discussion Rules

Brad — Wed, 19 Sep 2018 03:21:13 -0000

Hi, I've setup a new cpanel server woth mod security enabled. I see some hits below, are these actually being "blocked" or only reported on? Usually I'd see ModSecurity: Access Denied in the log if it was blocked, however for the below I'm only seeing ModSecurity: Warning, would appreciate any help. Thanks [Wed Sep 19 08:18:05.298993 2018] [:error] [pid 82247:tid 139900061951744] [client 36.25.122.153:57249] [client 36.25.122.153] ModSecurity: Warning. Matched phrase "$_POST" at ARGS:0. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf"]...

Brad posted a comment on discussion Rules

Brad — Wed, 19 Sep 2018 03:16:54 -0000

Hi, I've setup a new cpanel server woth mod security enabled. I see some hits below, are these actually being "blocked" or only reported on? Usually I'd see ModSecurity: Access Denied in the log if it was blocked, however fo rthe below I'm only seeing ModSecurity: Warning, would appreciate any help. Thanks [Wed Sep 19 08:18:05.298993 2018] [:error] [pid 82247:tid 139900061951744] [client 36.25.122.153:57249] [client 36.25.122.153] ModSecurity: Warning. Matched phrase "$_POST" at ARGS:0. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf"]...

Amin El-Zein posted a comment on discussion Installation and Configuration

Amin El-Zein — Tue, 04 Sep 2018 15:28:05 -0000

i have some applications on behind server name app02 my server is working as reverse proxy+ mod sec name rp-srv some applications show an errors when request some pages that contain some information about system like c:\windows etc.... i want to block the pages that could contains this words if the client try to request it or the page show an error that contain c:\windows in other word: if any page will load and have a "c:\windows or eror" in content it will be blocked thanks.

Darryl posted a comment on discussion Installation and Configuration

Darryl — Wed, 25 Jul 2018 03:11:09 -0000

Thank you for your email. I am now out of the office until Monday 6th August If your email is urgent please contact support@adflex.co.uk I will respond to your message upon my return. Kind regards Darryl This email and any attachment(s) are confidential, may contain legal, professional or other privileged information and intended solely for the addressee. If you are not the intended recipient or have received this e-mail in error, please advise us immediately, delete all copies from your systems...

Darryl posted a comment on discussion Installation and Configuration

Darryl — Wed, 25 Jul 2018 03:10:19 -0000

Davy YG posted a comment on discussion Installation and Configuration

Davy YG — Wed, 25 Jul 2018 02:55:31 -0000

Hello All, I have two questions. 1) Is it possible to install ModSecurity on a laptop on a localhost and test sqlia and check the report? 2) Is it possible to install ModSecurity on a VPS and have the domain IP address pointing to the Mod Security WAF in the VPS? If so how to set up the domain IP address? Thanks.

hans mayer posted a comment on discussion Rules

hans mayer — Mon, 16 Jul 2018 20:56:27 -0000

You can set the limit for example with 10k with the following statement # set actual request size limit SecRequestBodyLimit 10000 # actually generate an HTTP error, instead of truncating SecRequestBodyLimitAction Reject

Kwak posted a comment on discussion Installation and Configuration

Kwak — Wed, 04 Jul 2018 07:16:35 -0000

i installed modsecurity 2.9.2 on iis 10 it works fine. if i apply ssl(https) on my website, modsecurity can analyze and block traffic matched with rules? Or is there another way? thanks~

hans mayer posted a comment on discussion Rules

hans mayer — Sun, 01 Jul 2018 21:00:03 -0000

Dear All, My environment: Apache/2.4 , engine mode: /modsecurity 2.7+ I want to achieve whenever any security rule is triggered a script should be executed for a specific directory. In the global apache security module settings I have this line: SecDefaultAction "phase:2,deny,log,status:406" which does it's job very well So my idea was I define a similar line for this specific directory. In my apache http.conf I have: SecDefaultAction "phase:2,deny,log,status:406,exec:/path/to/script"...

Nisari posted a comment on discussion Rules

Nisari — Tue, 29 May 2018 14:17:53 -0000

I was using the nginx refactoring branch with modsecurity 2.9, earlier. Now, I have recompiled modsecurity (3.0) with the nginx-modsecurity connector. I had added 2 custom rules that were working well in the old compilation. But, now I am getting an error as follows while trying to restart nginx: nginx[18002]: [120B blob data] nginx[18002]: nginx: configuration file /usr/local/nginx/conf/nginx.conf test failed Should I modify anything in the custom rules to get the rules working with modsecurity...

Mike Parsons posted a comment on discussion Rules

Mike Parsons — Tue, 17 Apr 2018 18:06:50 -0000

I'm trying to disable an .axd match that comes from OWASP ruleset with id: 920440. I have the following in my custom conf file that is loaded after all other rules. Anybody have any suggestion why the .axd extension is still being flagged ? SecRuleUpdateTargetById 920440 !ARGS:.axd Log: ModSecurity: Warning. String match within ".asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/...

Joseph Jozwik modified a comment on discussion Rules

Joseph Jozwik — Thu, 29 Mar 2018 17:09:55 -0000

Yes that is it :-)

Joseph Jozwik posted a comment on discussion Rules

Joseph Jozwik — Thu, 29 Mar 2018 17:09:44 -0000

Yes that is ie :-)

Joseph Jozwik posted a comment on discussion Rules

Joseph Jozwik — Thu, 29 Mar 2018 17:09:00 -0000

These rules seems to work SecRule ARGS_GET_NAMES "^(#.*)$" "id:193,log,deny,msg:'Block ARGS Name with hash GET'" SecRule ARGS_POST_NAMES "^(#.*)$" "id:192,log,deny,msg:'Block ARGS Name with hash POST',logdata:'%{tx.httpbl_msg}',setvar:tx.httpbl_msg=$" SecRule REQUEST_COOKIES_NAMES "^(#.*)$" "id:194,log,deny,msg:'Block ARGS Name with hash COOKIE'"

Chaim Sanders posted a comment on discussion Rules

Chaim Sanders — Thu, 29 Mar 2018 16:41:55 -0000

I see what you're going for. Check out the regex the OWASP Core Rule Set twitter (https://twitter.com/CoreRuleSet) just suggested: SecRule ARGS_NAMES|REQUEST_COOKIES_NAMES "@rx ^#|[(?:\'|\")?#.*]" "id:123,phase:2,deny,status:403,t:urldecodeuni,msg:'SA-CORE-2018-002'" On Thu, Mar 29, 2018 at 10:10 AM, Joseph Jozwik jjozwik@users.sourceforge.net wrote: Working on a rule to block traffic based on the starting character of ARGS_NAMES either cookie, get or post Example allow name=Joe Example block name=Joe...

Joseph Jozwik modified a comment on discussion Rules

Joseph Jozwik — Thu, 29 Mar 2018 14:56:51 -0000

Working on a rule to block traffic based on the starting character of ARGS_NAMES either cookie, get or post Example allow name=Joe Example block #name=Joe Test rule that is not working SecRule ARGS_NAMES "^(#.*)$" "phase:1,id:199,log,deny,msg:'Block Argname with hash'"

Joseph Jozwik posted a comment on discussion Rules

Joseph Jozwik — Thu, 29 Mar 2018 14:10:53 -0000

Working on a rule to block traffic based on the starting character of ARGS_NAMES either cookie, get or post Example allow name=Joe Example block name=Joe Test rule that is not working SecRule ARGS_NAMES "^(#.*)$" "phase:1,id:199,log,deny,msg:'Block Argname with hash'"

ayesha gupta posted a comment on discussion Installation and Configuration

ayesha gupta — Sat, 10 Mar 2018 16:16:08 -0000

The application has been around for lesser time than most different contenders yet it is now climbing the stepping stools of progress, and it just has the snappy updation of substance and auspicious updates with an ever increasing number of focused highlights to thank https://terrariumtv.co/

Andre posted a comment on discussion Rules

Andre — Thu, 08 Mar 2018 15:36:10 -0000

Hello, In the standard rules, I noticed there is not rule defined for big files except in the general configuration in modsecurity.conf but which does not give an alert to user. Does anybody know a detailed rule which can do this? I myself am a newbe to modsecurity and am surprised that this was in part of the standard set.

anupam narayan modified a comment on discussion Installation and Configuration

anupam narayan — Thu, 08 Mar 2018 05:09:02 -0000

Hi, We have configure modsecurity on CentOS 7.4 with no any OpenSource Rules ( apache 2.4 with mod security version 2.9.2 ) . later we purchased commercial rules and enable the lisence in apache configuration files. Now with this modsecurity is able to detect the attack but not it is not blocking any attack, Although SecRuleEngine On in configuration file but with all hit & trial we still didn't get what we are missing , your help will be highly appricaited. Thanks in advance. Regards Anupam Narayan...

anupam narayan posted a comment on discussion Installation and Configuration

anupam narayan — Wed, 07 Mar 2018 12:02:33 -0000

Bill Soranno posted a comment on discussion Installation and Configuration

Bill Soranno — Mon, 05 Mar 2018 13:46:25 -0000

I am trying to compile ModSecurity on Debian 9 with NGINX 1.13.9. I am following the steps in this article: https://www.nginx.com/blog/compiling-and-installing-modsecurity-for-open-source-nginx/ it fails on the make command. here is the dump from running the command sudo make: Making all in others make[1]: Entering directory '/etc/ModSecurity/others' depbase=echo libinjection/src/libinjection_html5.lo | sed 's|[^/]$|.deps/&|;s|.lo$||'; /bin/bash ../libtool --tag=CC --mode=compile gcc -DHAVE_CONFIG_H...

Nick posted a comment on discussion Installation and Configuration

Nick — Thu, 01 Mar 2018 08:22:52 -0000

Hi everyone, I am trying ModSecurity 3.0 with OWASP CRS in Nginx. The Nginx with ModSecurity is used as reverse proxy server to proxy requests to mutiple application servers behind Nginx. I would like to use separated modsecurity.conf to configure the following settings for each application. * SecRuleEngine (some application use block mode, some application use detection only) * crs-setup.conf (to configure different paranoid level and threshold score for each application) * include different OWASP...

Nisari modified a comment on discussion Rules

Nisari — Wed, 28 Feb 2018 05:50:27 -0000

I am using modsecurity with nginx(v1.13.6) on ubuntu 16.04. When I try to upload a zip files/single jpeg/mov files via an API to my web server, I get the following error in the modsecurity error log. 2018/02/28 05:14:04 [error] 1893#0: [client 103...*] ModSecurity: Warning. Operator EQ matched 0 at REQUEST_HEADERS. [file "/usr/local/nginx/conf/owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "309"] [id "920180"] [rev "1"] [msg "POST request missing Content Length Header."]...

Nisari posted a comment on discussion Rules

Nisari — Wed, 28 Feb 2018 05:22:22 -0000

Greg Williams posted a comment on discussion Rules

Greg Williams — Tue, 27 Feb 2018 11:32:10 -0000

Hi All, I have Modsecurity setup on IIS and have setup the Geo Lookup rule, I have downloaded the latest database and specified the following rule SecGeoLookupDb 'GeoDB\GeoLiteCity.dat' SecRule REMOTE_ADDR "@geoLookup" "chain,id:22,status:403,drop,msg:'Non-GB or IE IP address'" SecRule GEO:COUNTRY_CODE "!@pm GB IE" "t:none" However I always get the error - Geo lookup for "IP:port" failed: No such host is known. The server allows all traffic to pass. I have tried this for various different IP addresses...

Ramesh Patel posted a comment on discussion Installation and Configuration

Ramesh Patel — Thu, 22 Feb 2018 19:33:49 -0000

i have installed modsecurity 3 with nginx version nginx/1.12.2 and when we set modsecurity in dectectiononly mode we get a bunch of failures during our cucumber unit testing process. i have looked at nignx and the only error i see is the following, 2018/02/22 03:56:46 [info] 2256#2256: *1923 epoll_wait() reported that client prematurely closed connection, so upstream connection is closed too while connecting to upstream, client: 130.211.141.241, server: _, request: "POST /organization/javasdkorg1519270783471v276/event/questionnaire/type...

ayesha gupta posted a comment on discussion Installation and Configuration

ayesha gupta — Sun, 07 Jan 2018 16:05:43 -0000

Mistake code err_spdy_protocol_error may likewise emerge because of some issue in your antivirus. On the off chance that you are utilizing Avast Antivirus on your gadget then you can include the address of the site which is giving this mistake to the execution rundown of Avast Antivirus. Avast antivirus helps in settling this issue just by overlooking the pages which are demonstrating this mistake. For settling this mistake with the assistance of Avast Antivirus you can simply take after the means...

Leon posted a comment on discussion Rules

Leon — Thu, 04 Jan 2018 15:41:36 -0000

Despite a ton of Googling, reading the Modsecurity Handbook and trial and error I still can't figure out if I can adjust sensitivity to specific rules on specific cookies. Our false positives seem to be caused by rules 981260 and 981231 finding matches in the XSRF token cookies automatically made by our website's framework. I can disable the rules for the cookies, but I'd like to know if I can just make the existing ones less sensitive for specific cookie names so there's still some security in place....

Kent Peter Gaardmand posted a comment on discussion Help

Kent Peter Gaardmand — Sat, 30 Dec 2017 23:45:53 -0000

I have a 2016 with IIS10, i have installed the latest version of Mediawiki and Modsecurity. I hade a few base rules that created false positives, after removing them i was still not able to login and no further events where logged. i have tried removing all the rules, still i am unable to login. so far i can only uninstall modsecurity for my mediawiki to work. Happy new year and kind regards Kent

Chaim Sanders posted a comment on discussion Help

Chaim Sanders — Sun, 10 Dec 2017 02:54:19 -0000

This forum isn't supported anymore, please use github or IRC for support.

Thiagarajan Socrates posted a comment on discussion Help

Thiagarajan Socrates — Sun, 10 Dec 2017 00:19:50 -0000

We have added mod-security(2.9) plugin for input data filtering with malicious input with apache webserver and it was working fine. But then we are facing issue in the below scenario. During the application login, server will generate access token and also a refresh token (set the same as cookie) while sending back to the browser. When the access token expires, UI will send the refresh token to generate the new access token to the server. Application will use the refresh token as a authentication...

Mervin Govender posted a comment on discussion Rules

Mervin Govender — Mon, 16 Oct 2017 11:05:25 -0000

How to I open port 3306 for remote mysql connect ?

Chaim Sanders posted a comment on discussion Rules

Chaim Sanders — Mon, 16 Oct 2017 03:12:45 -0000

Hey @Daniel Kolar, This form isn't supported anymore. If you have any further questions please reach out on the ModSecurity Github page. Thanks!

Daniel Kolar posted a comment on discussion Rules

Daniel Kolar — Sun, 15 Oct 2017 12:38:06 -0000

Here is related issue and what worked is to edit mod security .conf file that is containing custom mod. sec. rules and add special rule. # Disable ModSecurity for certain file names SecRule REQUEST_URI "(ajax.php|editpost.php|newthread.php|newpost.php|otherfilename.php)" "id:945998,nolog,allow,ctl:ruleEngine=Off,ctl:auditEngine=Off" Though it would be better to whitelist full path including domain, not just file name. But for that i am unsure how to do now.

Daniel Kolar modified a comment on discussion Rules

Daniel Kolar — Wed, 11 Oct 2017 11:06:25 -0000

Hello, when submitting new content via: mydomain.com/newarticle.php mydomain.com/newthread.php it triggers multiple "deny" mod security rules, i do not want to tweak these rules anyhow, instead i want to whitelist mentioned files from blocking by mod security i tried to 1. create new rule on the top of all rules in /usr/local/apache/conf/modsec2.user.conf SecRule REQUEST_URI "newarticle|newthread" "id:1045787,phase:1,nolog,noauditlog,allow,ctl:ruleEngine=Off" Does not work, other rules still trigger...

Vit Jan modified a comment on discussion Rules

Vit Jan — Wed, 11 Oct 2017 11:03:50 -0000

Hello, when submitting new content via: mydomain.com/newarticle.php mydomain.com/newthread.php it triggers multiple mod security rules, i do not want to tweak these rules anyhow, instead i want to whitelist mentioned files from blocking by mod security i tried to 1. create new rule on the top of all rules in /usr/local/apache/conf/modsec2.user.conf SecRule REQUEST_URI "newarticle|newthread" "id:1045787,phase:1,nolog,noauditlog,allow,ctl:ruleEngine=Off" Does not work, other rules still trigger 403....

Vit Jan posted a comment on discussion Rules

Vit Jan — Wed, 11 Oct 2017 11:03:08 -0000

Hello, when submitting new content via: mydomain.com/newarticle.php mydomain.com/newthread.php it triggers multiple mod security rules, i do not want to tweak these rules anyhow, instead i want to whitelist mentioned files from blocking by mod security i tried to 1. create new rule on the top of all rules in /usr/local/apache/conf/modsec2.user.conf SecRule REQUEST_URI "editpost|newreply|newthread" "id:1076487,phase:1,nolog,noauditlog,allow,ctl:ruleEngine=Off" Does not work, other rules still trigger...

Chaim Sanders posted a comment on discussion Rules

Chaim Sanders — Mon, 25 Sep 2017 23:17:49 -0000

Please open such issues on github to get assistance https://github.com/SpiderLabs/owasp-modsecurity-crs

Gary posted a comment on discussion Rules

Gary — Fri, 22 Sep 2017 11:58:06 -0000

I was hoping someone can assist us mitigating an ongoing attack. We use Opencart. We have several servers with a dozen or so installations on each. Recently there was a Python script released that can password attack the Opencart admin. It hits the admin page directly and from what I can work out from the code it recognizes it has been successful by checking for a cookie. Most of our domains are being hit. Opencart gives a HTTP/1.1" 200 on a failed login. The user-agent is always different and the...

Sascha Papini posted a comment on discussion Rules

Sascha Papini — Wed, 19 Jul 2017 14:25:30 -0000

Hi all, I want to block cross scripting in header Authorization Basic. For example, I have: POST /tr069/ HTTP/1.1 Host: carontetest.digitelitalia.com:8445 Content-Length: 1412 Accept-Encoding: gzip, deflate, compress SOAPAction: Accept: / User-Agent: python-requests/2.2.1 CPython/2.7.6 Linux/4.4.0-81-generic Authorization: Basic Ii8+PHNjcmlwdD5hbGVydCgieHNzIDspIik8L3NjcmlwdD46cGFzcw== Ii8+PHNjcmlwdD5hbGVydCgieHNzIDspIik8L3NjcmlwdD46cGFzcw== is "/>:pass I write SecRule...

jay posted a comment on discussion Installation and Configuration

jay — Fri, 05 May 2017 19:48:11 -0000

mod security config file as follows: # Default recommended configuration SecRuleEngine On SecRuleInheritance On SecRequestBodyAccess On SecRule REQUEST_HEADERS:Content-Type "text/xml" \ "id:'200000',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML" SecRequestBodyLimit 13107200 SecRequestBodyNoFilesLimit 131072 SecRequestBodyInMemoryLimit 131072 SecRequestBodyLimitAction Reject SecRule REQBODY_ERROR "!@eq 0" \ "id:'200001', phase:2,t:none,log,deny,status:400,msg:'Failed...

jay posted a comment on discussion Installation and Configuration

jay — Fri, 05 May 2017 19:46:35 -0000

Please refer to the log below. Even though rule matches it does not block the request. Let me know if I am missing anything. Thanks --b8246541-A-- [02/May/2017:22:47:47 +0000] WQkMkn8AAAEAAEQeufQAAAAC 192.168.34.199 10787 192.168.34.202 80 --b8246541-B-- GET /index.php?action=&type=view&s=&id=-1%27%20union%20select%200,concat(char(85),char(115),char(101),char(114),char(110),char(97),char(109),char(101),char(58),name,char(32),char(124),char(124),char(32),char(80),char(97),char(115),char(115),char(119),char(111),char(114),char(100),char(58),pass),0,0,0,0,0%20from%20phpdesk_admin/*...

BJ van Dijk posted a comment on discussion Rules

BJ van Dijk — Mon, 24 Apr 2017 08:52:24 -0000

Q1: In REQUEST-912-DOS-PROTECTION.conf, the ip.dos_counter is increased for every request made to a none static resource, As soon as it hits the threshold, ip.dos_burst_counter is set/increased by 1, which expires after ip.dos_burst_time_slice. So when we have a threshold of 100, and over a couple of days we reach 100, ip.dos_burst_counter=1. If PL is set to 1, it will only trigger when the dos_burst_counter = 2. Normally there will be enough time for the dos_burst_counter to expire. But in PL 2,...