3.x Defense against ddos ​​cc failed, tx.dos_burst_time_slice=60 does not take effect, requests exceeding 1 point will still be counted

[ccl123456789012]

Describe the bug

A clear and concise description of what the bug is.

Logs and dumps

Output of:

1. DebugLogs (level 9)
2. AuditLogs
3. Error logs
4. If there is a crash, the core dump file.

Notice: Be careful to not leak any confidential information.

To Reproduce

Steps to reproduce the behavior:

A curl command line that mimics the original request and reproduces the problem. Or a ModSecurity v3 test case.

[e.g: curl "modsec-full/ca/..\..\..\..\..\..\/\etc/\passwd" or issue-394.json]

Expected behavior

A clear and concise description of what you expected to happen.

Server (please complete the following information):

• ModSecurity version (and connector): [e.g. ModSecurity v3.0.8 with nginx-connector v1.0.3]
• WebServer: [e.g. nginx-1.18.0]
• OS (and distro): [e.g. Linux, archlinux]

Rule Set (please complete the following information):

• Running any public or commercial rule set? [e.g. SpiderLabs commercial rules]
• What is the version number? [e.g. 2018-08-11]

Additional context

Add any other context about the problem here.

[martinhsv]

Hello @ccl123456789012 ,

The intention of the issue template is to fill in the suggested elements with information from your deployment and the problem that you believe you are experiencing.

Note that this github repo is about the engine, and you appear to be referencing a particular rule set (perhaps CRS) which is managed separately. At minimum the following would be necessary: the actual rules you are using, what both the expected and experienced behaviours are, and what version of ModSecurity you are using.

However given the timing nature of your inquiry, if you are using ModSecurity v3, it's possible that you are encountering a known issue: that expirevar has not yet been implemented in v3. There is an open item for this: #1803