coreruleset / coreruleset

OWASP CRS (Official Repository)
https://coreruleset.org
Apache License 2.0
2.26k stars 377 forks source link

ModSecurity Variables Automatically Expire After 1 Minute Without ExpireVar Setting #3913

Closed takumi-ricoh closed 2 hours ago

takumi-ricoh commented 2 hours ago

Describe the bug

Variables created using setvar in ModSecurity rules are being automatically deleted after 1 minute, even without explicitly setting expirevar. This occurs when trying to implement custom rules for login attempt tracking without using CRS.

Steps to reproduce

  1. Use the official OWASP ModSecurity CRS Docker image (owasp/modsecurity-crs:4.7.0-nginx-202410090410)
  2. Override /etc/nginx/templates/modsecurity.d/setup.conf.template with custom configuration:
    • Comment out CRS includes:
      # Include /etc/modsecurity.d/owasp-crs/crs-setup.conf
      # Include /etc/modsecurity.d/owasp-crs/rules/*.conf
    • Add custom rule file:
      Include /opt/on_pre_llm/extra_lockout_rule.conf
  3. Implement custom rule for tracking login attempts:
    SecRule REQUEST_URI "@beginsWith /console/api/login" \
       "id:100098,phase:1,pass,\
       chain"
       SecRule &IP.failed_attempts "@eq 0" \
       "setvar:IP.failed_attempts=0,\
       setvar:IP.is_locked=0,\
       msg:'Initialization - Failed attempts: %{IP.failed_attempts}'"
  4. Wait for 1 minute
  5. Make another request to the login endpoint

Expected behaviour

Additional context

Your Environment

takumi-ricoh commented 2 hours ago

https://github.com/coreruleset/modsecurity-crs-docker/issues/299