DOS Rules : TX:STATIC_EXTENSIONS

[Blason R]

Hi Team,

I am trying to set DOS in Modsecurity CRS 3.3.2 and stumbled upon TX:STATIC_EXTENSIONS. How does crs identify static_extensions? Or where do I define TX:STATIC_EXTENSIONS.

So that requests other than TX:STATIC_EXTENSIONS will be identified as DOS.

[Blason R]

Ok - Got it -

Under - REQUEST-901-INITIALIZATION.conf

SecRule &TX:static_extensions "@eq 0" \
    "id:901166,\
    phase:1,\
    pass,\
    nolog,\
    ver:'OWASP_CRS/3.3.0',\
    setvar:'tx.static_extensions=/.jpg/ /.jpeg/ /.png/ /.gif/ /.js/ /.css/ /.ico/ /.svg/ /.webp/'"

[Walter Hop]

> I am trying to set DOS in Modsecurity CRS 3.3.2 and stumbled upon TX:STATIC_EXTENSIONS. How does crs identify static_extensions? Or where do I define TX:STATIC_EXTENSIONS.
>
> So that requests other than TX:STATIC_EXTENSIONS will be identified as DOS.

You can edit your crs-setup.conf and remove the comments from this rule, like this:

# File extensions considered static files.
# Extensions include the dot, lowercase, enclosed by /slashes/ as delimiters.
# Used in DoS protection rule. See section "Anti-Automation / DoS Protection".
# Default: /.jpg/ /.jpeg/ /.png/ /.gif/ /.js/ /.css/ /.ico/ /.svg/ /.webp/
# Uncomment this rule to change the default.
SecAction \
"id:900260,\
phase:1,\
nolog,\
pass,\
t:none,\
setvar:'tx.static_extensions=/.jpg/ /.jpeg/ /.png/ /.gif/ /.js/ /.css/ /.ico/ /.svg/ /.webp/‘"

The setvar line already contains the defaults. You can add more extensions, keeping in mind that they should be between slashes, e.g. /.ext/

Kind regards,
Walter Hop
CRS co-lead