I want a ModSecurity rule, which block the access to any url or any Body request Post/Get, if it contains a specific string.
For example i want to block this string : "km0ae9gr6m"
I have this rule in placse but it doesnt seems to be working.
SecRule ARGS "km0ae9gr6m" "log,deny,msg:'Access Denied'"
Best Answer
Which ModSecurity version are you using?
ARGS
variable only includesQUERY_STRING
+POST_PAYLOAD
in version 1.X. If you're running version 2.X, with your above rule, testing with a request as below:you'll see something like this in the
audit_log
:[modsecurity] [client x.x.x.x] [domain domain.com] [302] [/20120813/20120813-1226/20120813-122624-70QXqH8AAAEA AEucDbkAAAAA] [file "/etc/httpd/modsecurity.d/modsecurity_crs_10_config.conf"] [line "305"] [msg "Access Denied"] Access denied with code 403 (phase 2). Pattern match "km0ae9gr6m" at ARGS:b.
In ModSecurity 2.x,
ARGS
expands to individual variables. So, try this: