Reputation: 1
How to use 'TIME' in modsecurity SecRule to match exact time?
I'm trying to configure modsecurity for Apache to limit the number of times a given resource can be accessed. I wrote this code, and it works (I'm getting a 429 rejection as I wanted), but I can't reinitiate ip.counter at a certain point of time (last line).
SecAction initcol:ip=%{REMOTE_ADDRESS},pass,nolog,id:132
SecAction "phase:2,setvar:ip.counter=+1,pass,nolog,id:332"
SecRule IP:COUNTER "@ge 1" "phase:3,id:'9000080007',pause:10,deny,status:429,setenv:RATELIMITED,skip:1,nolog,id:232"
SecRule TIME "^10:37:00$" "phase:2,id:'9000080008',setvar:!ip.counter"
However, if I switch the last line to use TIME_HOUR instead, the SecRule does apply correctly: SecRule TIME_HOUR "@eq 10" "phase:2,id:'9000080008',setvar:!ip.counter" Any help please for using TIME variable in SecRule to match the exact time?
Upvotes: 0
Views: 451
Answers (1)
Reputation: 299
Congratulations on getting a very advanced recipe to work properly. This is really cool.
Now your rule does not work, because the online reference is wrong about the format of the TIME variable (The Handbook is correct though).
Here is how to debug this on ModSec debug log level 9:
SecRule TIME "@unconditionalMatch" "id:1000,phase:2,pass,log,msg:'Key : Value : |%{MATCHED_VAR_NAME}| : |%{MATCHED_VAR}|'"
Leads to:
...4c20][/][5] Rule 562b28db5420: SecRule "TIME" "@unconditionalMatch " "phase:2,auditlog,id:1007,pass,log,msg:'Key : Value : |%{MATCHED_VAR_NAME}| : |%{MATCHED_VAR}|'"
...4c20][/][4] Transformation completed in 0 usec.
...4c20][/][4] Executing operator "unconditionalMatch" with param "" against TIME.
...4c20][/][9] Target value: "20220829070111"
...4c20][/][4] Operator completed in 0 usec.
...4c20][/][9] Resolved macro %{MATCHED_VAR_NAME} to: TIME
...4c20][/][9] Resolved macro %{MATCHED_VAR} to: 20220829070111
...4c20][/][2] Warning. Unconditional match in SecAction. [file "/apache/conf/httpd.conf_pod_2022-08-29_06:58"] [line "209"] [id "1007"] [msg "Key : Value : |TIME| : |20220829070111|"]
...4c20][/][4] Rule returned 1.
...4c20][/][9] Match -> mode NEXT_RULE.
Upvotes: 0
Related Questions
- how to compare the current time to a variable in a .htaccess
- Change time format to get milliseconds in Apache log files
- How to change the time in apache server so it matches the computer's time (PHP)?
- How to create an attribute that contains current hour?
- How to substitute a string to current timestamp in mod_substitute apache?
- Apache modsecurity restrict hits per uri per unit of time
- Modsecurity create config file with rules for specific URL
- How can I modify a pattern in Modsecurity Core Rule Set
- Updating an arugement of a ModSecurity Core Rule
- Daily access control with ModSecurity