Mod security Examples
Examples
Block particular string in URL:
SecRule REQUEST_URI "##SEARCH##" "t:normalisePath,id:##RULE_ID##,phase:2,deny,status:510,msg:'##MESSAGE##'"
Alternatively, only check filename (not domain):
SecRule REQUEST_FILENAME "##SEARCH##" "log,id:##RULE_ID##,deny,status:510,msg:'##MESSAGE##'"
Block by method (POST) if URL containins particular string:
SecRule REQUEST_METHOD "@streq POST" "t:normalisePath,id:##RULE_ID##,phase:2,deny,status:510,msg:'##MESSAGE##',chain" SecRule REQUEST_URI "##SEARCH##"
Chaining multiple rules together:
SecRule REQUEST_METHOD "@streq POST" "t:normalisePath,id:##RULE_ID##,phase:2,deny,status:510,msg:'##MESSAGE##',chain" SecRule REQUEST_URI "##SEARCH##" "chain" SecRule REQUEST_BODY "##SEARCH##"
Searching for string in multiple variables:
SecRule REQUEST_METHOD "@streq POST" "t:normalisePath,id:##RULE_ID##,phase:2,deny,status:510,msg:'##MESSAGE##',chain" SecRule QUERY_STRING|REQUEST_BODY "##SEARCH##"
##SEARCH## = The string to search for
##RULE_ID## = Unqiue ID of the rule
##MESSAGE## = Is displayed in the logs
Most used variables
REQUEST_METHOD - GET, POST, HEAD etc.
REQUEST_URI - Full URI, like http://www.test.com/test/test.php?test_var=test_value
REQUEST_FILENAME - Directory / file name, like test/test.php
ARGS_NAMES - Argument names (test_var)
ARGS - Argument values (test_value)
QUERY_STRING - Full query string (test_var=test_value)
REQUEST_BODY - All POST data being sent
REQUEST_HEADERS - All Headers
REQUEST_HEADERS:User-Agent - specific header
Full documentation: https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual
Important files
Mod security main configuration: /usr/local/apache2/conf/mod_security2.conf
Own rules: /usr/local/apache2/conf/mod_security2_hoststar_rules.conf
User agent blacklist: /usr/local/apache2/conf/mod_security2/cwaf-rules/userdata_bl_agents
User agent whitelist: /usr/local/apache2/conf/mod_security2/cwaf-rules/userdata_wl_agents