ModSecurity block specific string in request
Solution 1
The only thing that I was missing, was Processing phase, in which this rule must be put to make it work. so the actual rule is here.
SecRule REQUEST_URI|ARGS|REQUEST_BODY "km0ae9gr6m" "phase:4,log,deny,msg:'Access Denied'"
By this rule, you can easily block any type of response,that you do not want any user to see. Modsecurity will detect it on its way out to server and will block it.
Solution 2
Which ModSecurity version are you using? ARGS
variable only includes QUERY_STRING
+ POST_PAYLOAD
in version 1.X. If you're running version 2.X, with your above rule, testing with a request as below:
http://domain.com/a?b=km0ae9gr6m
you'll see something like this in the audit_log
:
[modsecurity] [client x.x.x.x] [domain domain.com] [302] [/20120813/20120813-1226/20120813-122624-70QXqH8AAAEA
AEucDbkAAAAA] [file "/etc/httpd/modsecurity.d/modsecurity_crs_10_config.conf"] [line "305"] [msg "Access Denied"] Access denied with code 403 (phase 2). Pattern match "km0ae9gr6m" at ARGS:b.
In ModSecurity 2.x, ARGS
expands to individual variables. So, try this:
SecRule REQUEST_URI|ARGS|REQUEST_BODY "km0ae9gr6m" "log,deny,msg:'Access Denied'"
Related videos on Youtube
Farhan
Updated on September 18, 2022Comments
-
Farhan over 1 year
I want a ModSecurity rule, which block the access to any url or any Body request Post/Get, if it contains a specific string.
For example i want to block this string : "km0ae9gr6m"
I have this rule in placse but it doesnt seems to be working.
SecRule ARGS "km0ae9gr6m" "log,deny,msg:'Access Denied'"
-
Farhan over 11 yearsi am using modsecurity 2.6. And i have created an html page having this string in it. i have hosted that page on apache and with your rule above, it still opens the page and does not detects this string.
-
Farhan over 11 yearsI have tried with RESPONSE_BODY match as well, but still not working. i have pasted this string in an html page, tried to open it remotely and it opened without any issues.
-
Greg Petersen over 11 yearsYour original question is not clear. If you want to filter output, as you posted belows, do it in
phase:4
. -
Michael Hampton almost 6 yearsWhich answer says to use
phase:1
? And why do you send 409 Conflict?