How does the ban threshold work?

  • Resolved wycks

    (@wycks)


    13 years, 3 months ago

    Where can I find more info on the ban threshold parameters (default 70), I tried looking on phpids site but could not find anything.

    I ask because some repeated attacks are getting through ( I’m assuming because they are under the threshold) and would like to know what exactly the threshold parameters are.

    For example , with default threshold at 70 an xss like
    /2011/04/poll_logs.php?qid=%27 is not limited by the Attack repeat limit setting.

    Thanks!

Viewing 1 replies (of 1 total)
  • Plugin Author ampt

    (@ampt)

    The impact values are defined in default_filter.xml this is where the filter rules are defined and the impact value associated with them.

    You can find more info on the impact value in the PHPIDS whitepaper under the title “Working with the impact”
    https://docs.google.com/Doc?id=dd7x5smw_17g9cnx2cn

    The whitepaper mentions that a normal attack impact ranks at about a range of 5-50. The ban threshold and all the default thresholds in Mute Screamer are a little higher than stated in the whitepaper.

    Why are the default values in Mute Screamer a little higher? The impact value in most cases is doubled, since the way that PHP handles global variables GET, POST, COOKIE, REQUEST. Any data in GET, POST or COOKIE is combined in REQUEST. Since PHPIDS is configured to check all of these global variables we end up with a double impact value in mosts cases.

    Here’s some background info on why we check all global variables which results in the double impact value:

    https://forum.itratos.de/showthread.php?401-checking-_REQUEST-without-the-double-impact-value

Viewing 1 replies (of 1 total)
  • The topic ‘How does the ban threshold work?’ is closed to new replies.