Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Tutorial 12] Unclear how expirevar works #65

Open
studersi opened this issue Apr 3, 2018 · 0 comments
Open

[Tutorial 12] Unclear how expirevar works #65

studersi opened this issue Apr 3, 2018 · 0 comments

Comments

@studersi
Copy link
Contributor

studersi commented Apr 3, 2018

SecRule TX:INBOUND_ANOMALY_SCORE  "@ge 5" \
  "phase:5,pass,id:10001,log,msg:'Logging enabled (High incoming anomaly score)', \
  expirevar:ip.logflag=600"

SecRule TX:OUTBOUND_ANOMALY_SCORE "@ge 5" \
  "phase:5,pass,id:10002,log,msg:'Logging enabled (High outgoing anomaly score)', \
  expirevar:ip.logflag=600"

SecRule &IP:LOGFLAG               "@eq 1" \
  "phase:5,pass,id:10003,log,msg:'Logging is enabled. Enforcing rich auditlog.', \
  ctl:auditEngine=On,ctl:auditLogParts=+EIJ"

We’ll use this ability to check its core rules anomaly score in the logging phase of the request. If it is 5 or higher (corresponding to an alarm or the critical level), we set the variable ip.logflag and via expirevar give it an expiration of 600 seconds. This means that this variable remains in the IP collection for ten minutes and then disappears on its own automatically. This mechanism is repeated for the outgoing anomaly score in the subsequent rule.

Where is that in the configuration?

Does expirevar:ip.logflag=600 do both at the same time?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant