OWASP ModSec CRS Paranoia Mode Sibling 981049

This page contains a proposal for a stricter rule-clone for ModSecurity CRS Paranoia Mode.

981049 : Potential Denial of Service (DoS)
# # -=[ Potential Denial of Service (DoS)  ]=- # # This is a paranoid sibling to 2.2.9 Experimental Rule 981049. # The rule now triggers after the first burst instead of the second. # For 3.0.0-rc1 rule, see 912100. # SecRule IP:DOS_BURST_COUNTER "@ge 1" "phase:logging,\       rev:'1',\        ver:'OWASP_CRS/3.0.0',\        maturity:'X',\        accuracy:'Y',\        t:none,\        log,\        msg:'Potential Denial of Service (DoS) Attack from %{tx.real_ip} - # of Request Bursts:%{ip.dos_burst_counter}',\        id:'XXXXXX',\        tag:'FIXME Filler for attacktype',\        tag:'Paranoia rule on level Z',\        setvar:ip.dos_block=1,\        expirevar:ip.dos_block=%{tx.dos_block_timeout},\        pass"