Wiki

User Tools

Site Tools

Trace:
modsecurity:writing_your_own_mod_security_rules

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Next revision		Previous revision
modsecurity:writing_your_own_mod_security_rules [2016/10/14 14:09] – created petermodsecurity:writing_your_own_mod_security_rules [2019/11/30 14:21] (current) – removed peter
Line 1: Line 1:
-====== ModSecurity - Writing Your Own mod_security Rules ====== 
- 
-In this section, we'll create a rule chain which blocks the request if certain "spammy" words are entered in a HTML form.  First, we'll create a PHP script which gets the input from a textbox and displays it back to the user. 
- 
- 
-<file bash /var/www/form.php> 
-<html> 
-<body> 
-<?php 
-  if(isset($_POST['data'])) 
-    echo $_POST['data']; 
-  else 
-  { 
-?> 
-    <form method="post" action=""> 
-      Enter something here:<textarea name="data"></textarea> 
-      <input type="submit"/> 
-    </form> 
-<?php 
-  } 
-?> 
-/body> 
-</html> 
-</file> 
- 
-Custom rules can be added to any of the configuration files or placed in modsecurity directories.  We'll place our rules in a separate new file. 
- 
-<code bash> 
-vi /etc/modsecurity/modsecurity_custom_rules.conf 
-</code> 
- 
-Add the following to this file: 
- 
-<file bash /etc/modsecurity/modsecurity_custom_rules.conf> 
-SecRule REQUEST_FILENAME "form.php" "id:'400001',chain,deny,log,msg:'Spam detected'" 
-SecRule REQUEST_METHOD "POST" chain 
-SecRule REQUEST_BODY "@rx (?i:(pills|insurance|rolex))" 
-</file> 
- 
-Save the file and reload Apache. Open http://yourwebsite.com/form.php in the browser and enter text containing any of these words: pills, insurance, rolex. 
- 
-You'll either see a 403 page and a log entry or only a log entry based on **SecRuleEngine** setting.  The syntax for SecRule is 
- 
-<code bash> 
-SecRule VARIABLES OPERATOR [ACTIONS] 
-</code> 
- 
-Here we used the chain action to match variables **REQUEST_FILENAME** with **form.php**, **REQUEST_METHOD** with **POST** and **REQUEST_BODY** with the regular expression (@rx) string (pills|insurance|rolex).  The **?i:** does a case insensitive match.  On a successful match of all these three rules, the ACTION is to **deny** and **log** with the msg "Spam detected."  The chain action simulates the logical AND to match all the three rules. 
  
modsecurity/writing_your_own_mod_security_rules.1476454191.txt.gz · Last modified: 2020/07/15 09:30 (external edit)
Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki