Fixes SecConnWriteStateLimit #1545
Conversation
|
(not sure why the Travis check failed? can I kick it off again?) Any feedback? Hoping this is a straightforward fix to get in. |
|
nicjansma is correct, this is an important bug |
|
Hi @nicjansma, Thanks for the patch. We currently support two different ModSecurity versions on this very same repository. The v2 and the v3 family. Those different versions are using different buildbots, for some reason the v3 was shot to verify your commit and it failed as expected. I am running the v2 family buildbot manually to check your fix. |
|
Merged ;) thanks! |
|
Greetings!
|
|
thanks @victorhora , much appreciated 👍 |
|
@victorhora @zimmerle Would we be able to move forward with a 2.9.3 release soon? |
|
@victorhora @zimmerle do you have an estimate for when a 2.9.3 release will be available? |
|
Hi @nicjansma We would like to have finished both 3.0.3 and 2.9.3 releases by end of September, but unfortunately some of the issues took more time and effort than we anticipated. There's milestones set for both releases here: 2.9.3: https://github.com/SpiderLabs/ModSecurity/milestone/10 3.0.3 https://github.com/SpiderLabs/ModSecurity/milestone/12 And we also have a number of pull requests to be fully reviewed/tested and merged prior to the next release: https://github.com/SpiderLabs/ModSecurity/pulls Ideally we would like to fix/close most (or all) of those issues before the next release. Hopefully soon, but I don't have a date yet, but certainly before end of October. In the meantime, any help in the sense of pull requests, reviews, results of tests and comments on the aforementioned issues/PRs are appreciated :) |
|
That's great @victorhora, thank you for the update! That seems to be quite a few issues being addressed in 2.9.3. Would you consider moving forward with a few smaller 2.9.x releases? |
|
Hi @nicjansma, you're welcome :) Well, the thing is, as you may have heard development is focused on the v3 branch. And we are planning to do releases for this branch on a shorter period of time. Ideally every 3 months or so. For 2.x releases we don't have a fixed release schedule set at the moment. 2.x should be at maintenance level. Meaning that new releases should be based on addressing either security issues or critical bugs. But we also believe that a reasonable amount of changes also warrants for a release. For instance, we have >20 fixes between 2.9.2 and current master (pre-2.9.3). Hence why we are working on releasing 2.9.3 as soon as possible :) |
|
Glad to see 3.0.3 has been released! Are you planning a 2.9.3 release soon? |
|
Hi @nicjansma Yes, we want to release 2.9.3 as soon as possible. You can track the progress of the milestone for 2.9.3 here: https://github.com/SpiderLabs/ModSecurity/milestone/10 As soon as that last issue is solved we will start cooking the 2.x release. Thanks. |
|
I believe that by now you probably notice that 2.9.3 is out? :) https://github.com/SpiderLabs/ModSecurity/releases/tag/v2.9.3 Thanks for your contribution on this one! :) Cheers |
|
Much obliged! |
Since a15f881, I don't believe
SecConnWriteStateLimithas been working properly, which means that "slow read" attacks are not protected against.With ModSecurity 2.9.2 on Apache 2.4.27, I was seeing ModSecurity properly blocking a Slowloris attack (slow writing headers) via
slowhttptest -H:Apache
error_logwithSecConnReadStateLimit 50:We see above that the 51st and all subsequent connections are properly dropped.
However, "slow read" attacks (
slowhttptestwith-Xor-B) aren't currently protected. WithSecConnWriteStateLimit 50, ModSecurity currently logs warnings but doesn't drop connections.(note 226 out of 50 allowed)
It looks like the line I've changed in this PR had inversed logic (should have been the same as the
SecConnReadStateLimitlogic), but a15f881 swapped it on accident.With this one-character fix, I now see slow read attacks being blocked.
CC @zimmerle