ModSecurity block specific string in request

apache-2.2mod-security

I want a ModSecurity rule, which block the access to any url or any Body request Post/Get, if it contains a specific string.

For example i want to block this string : "km0ae9gr6m"

I have this rule in placse but it doesnt seems to be working.

SecRule ARGS "km0ae9gr6m" "log,deny,msg:'Access Denied'"

Best Answer

Which ModSecurity version are you using? ARGS variable only includes QUERY_STRING + POST_PAYLOAD in version 1.X. If you're running version 2.X, with your above rule, testing with a request as below:

http://domain.com/a?b=km0ae9gr6m

you'll see something like this in the audit_log:

[modsecurity] [client x.x.x.x] [domain domain.com] [302] [/20120813/20120813-1226/20120813-122624-70QXqH8AAAEA AEucDbkAAAAA] [file "/etc/httpd/modsecurity.d/modsecurity_crs_10_config.conf"] [line "305"] [msg "Access Denied"] Access denied with code 403 (phase 2). Pattern match "km0ae9gr6m" at ARGS:b.

In ModSecurity 2.x, ARGS expands to individual variables. So, try this:

SecRule REQUEST_URI|ARGS|REQUEST_BODY "km0ae9gr6m" "log,deny,msg:'Access Denied'"

Related Solutions

Why does modsecurity require Content-Length in POST requests

First of all, you should know that you are running an obsolete version of ModSecurity (branch 1.x). If you are running Apache 2.0.x you should upgrade to ModSecurity 2.x. If you are still running Apache 1.3.x then I am afraid that you don't have a choice since ModSecurity 2.x won't work with it. ModSecurity 1.x itself is not known to be vulnerable, but its rule engine is too inflexible for today's demands.

If I recall correctly, ModSecurity 1.x required POST requests to specify content length purely because it didn't support chunked request bodies (the alternative way of submitting request bodies, in which the total length is not known until the end). Chunked request bodies were incredibly rare then (we're talking years 2003, 2004) and are still rare (although some mobile devices are using them).

There are no such restrictions in ModSecurity 2.x.

If you remove that rule you will create a big hole through which someone could sneak in an attack undetected. On the other hand, I can argue that, with you running ModSecurity 1.x, there are other ways to do the same. Alternatively, tweak the rule to refuse requests that have the Transfer-Encoding request header set. You should be safe with that.

Disclosure: I wrote ModSecurity.

Linux – Mod_security questions and on User-Agent types

I think you should rather use a SecDefaultAction to pass, and then to user the filter about perl user agent, to allow only this one. (If that's what you're really trying to do!)

SecDefaultAction phase:2,pass,status:403,log,auditlog

SecRule REQUEST_HEADERS:User-Agent "!perl" "phase:2,deny,msg:'Perl based user agent identified'"

I'm pretty sure this will work, but haven't tested it yet. And about your question concerning the differences between the two types, I think there isn't any.

Best Answer

Related Solutions

Why does modsecurity require Content-Length in POST requests

Linux – Mod_security questions and on User-Agent types

Related Topic