ModSecurity block specific string in request

apache-2.2 mod-security
16,765

Solution 1

The only thing that I was missing, was Processing phase, in which this rule must be put to make it work. so the actual rule is here.

SecRule REQUEST_URI|ARGS|REQUEST_BODY "km0ae9gr6m" "phase:4,log,deny,msg:'Access Denied'"

By this rule, you can easily block any type of response,that you do not want any user to see. Modsecurity will detect it on its way out to server and will block it.

Solution 2

Which ModSecurity version are you using? ARGS variable only includes QUERY_STRING + POST_PAYLOAD in version 1.X. If you're running version 2.X, with your above rule, testing with a request as below:

http://domain.com/a?b=km0ae9gr6m

you'll see something like this in the audit_log:

[modsecurity] [client x.x.x.x] [domain domain.com] [302] [/20120813/20120813-1226/20120813-122624-70QXqH8AAAEA AEucDbkAAAAA] [file "/etc/httpd/modsecurity.d/modsecurity_crs_10_config.conf"] [line "305"] [msg "Access Denied"] Access denied with code 403 (phase 2). Pattern match "km0ae9gr6m" at ARGS:b.

In ModSecurity 2.x, ARGS expands to individual variables. So, try this:

SecRule REQUEST_URI|ARGS|REQUEST_BODY "km0ae9gr6m" "log,deny,msg:'Access Denied'"
Share:
16,765

Related videos on Youtube

Farhan
Author by

Farhan

Updated on September 18, 2022

Comments

  • Farhan
    Farhan over 1 year

    I want a ModSecurity rule, which block the access to any url or any Body request Post/Get, if it contains a specific string.

    For example i want to block this string : "km0ae9gr6m"

    I have this rule in placse but it doesnt seems to be working.

    SecRule ARGS "km0ae9gr6m" "log,deny,msg:'Access Denied'"

  • Farhan
    Farhan over 11 years
    i am using modsecurity 2.6. And i have created an html page having this string in it. i have hosted that page on apache and with your rule above, it still opens the page and does not detects this string.
  • Farhan
    Farhan over 11 years
    I have tried with RESPONSE_BODY match as well, but still not working. i have pasted this string in an html page, tried to open it remotely and it opened without any issues.
  • Greg Petersen
    Greg Petersen over 11 years
    Your original question is not clear. If you want to filter output, as you posted belows, do it in phase:4.
  • Michael Hampton
    Michael Hampton almost 6 years
    Which answer says to use phase:1? And why do you send 409 Conflict?

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Remove IP from modsecurity blacklist
Mod_security - Syntax error
Enable modsecurity SecRuleEngine On for only a specific directory
Why doesn't my mod_security catch / log anything?
How to Disable ModSecurity without any Errors
mod_security configuration issue: Error parsing actions: Unknown action: ver
mod_security 960015 blocks Google and other good bots
mod_unique_id: unable to find IPv4 address of FQDN despite setting etc/hosts and Apache ServerName
modsecurity inbound_anomaly_score
mod_security not actually blocking requests despite rule trigger & returning 403