airween
commented
1 month ago Hi @AngelSamuel,
sorry for the late reply.
I think the problem in your solution is here:
SecAction "id:400020,phase:1,nolog,pass,t:none,setvar:tx.wp_rocket_counter=0"Your variable will be initialized with 0 in every transactions, and will never reach the value of 10.
I think you need to use a persistent storage to store this value (I assume you want to count the requests by IP), so you need to use the IP collection.
Please first read the relevant part:
(you didn't mention the used version)
https://github.com/owasp-modsecurity/ModSecurity/wiki/Reference-Manual-(v3.x)#persistent-storage
and I'm sure CRS's DOS plugin is a good reference, if you want to understand the behavior:
Hello!
I would like to know what would be the best way I can do something similar to this (taken from ChatGPT). I would need to detect when there are many WP Rocket requests (User Agent -> “WP Rocket/Preload”) and if it exceeds more than X requests, execute a request to an external server to have it monitored Would it be possible?
So far what I have, which does not work, is:
SecAction "id:400020,phase:1,nolog,pass,t:none,setvar:tx.wp_rocket_counter=0"
SecRule REQUEST_HEADERS:User-Agent "@contains ?iRocket/Preload" \ "id:400021,phase:1,nolog,pass,setvar:tx.wp_rocket_counter=+1"
SecRule TX:wp_rocket_counter "@gt 10" \ "id:400022,phase:2,log,deny,status:403,msg:'Too many Rocket/Preload requests detected', \ exec:'/usr/bin/curl --user-agent \"phmodsec\" -X POST https://api.domain.com/alert.php -d \"alert=Too many Rocket/Preload requests detected\"'"
Hopefully someone can lend a hand!