====== Ubuntu - ModSecurity - Writing Your Own mod_security Rules ======

In this section, we'll create a rule chain which blocks the request if certain "spammy" words are entered in a HTML form.  First, we'll create a PHP script which gets the input from a textbox and displays it back to the user.


<file bash /var/www/form.php>
<html>
<body>
<?php
  if(isset($_POST['data']))
    echo $_POST['data'];
  else
  {
?>
    <form method="post" action="">
      Enter something here:<textarea name="data"></textarea>
      <input type="submit"/>
    </form>
<?php
  }
?>
/body>
</html>
</file>

Custom rules can be added to any of the configuration files or placed in modsecurity directories.  We'll place our rules in a separate new file.

<code bash>
vi /etc/modsecurity/modsecurity_custom_rules.conf
</code>

Add the following to this file:

<file bash /etc/modsecurity/modsecurity_custom_rules.conf>
SecRule REQUEST_FILENAME "form.php" "id:'400001',chain,deny,log,msg:'Spam detected'"
SecRule REQUEST_METHOD "POST" chain
SecRule REQUEST_BODY "@rx (?i:(pills|insurance|rolex))"
</file>

Save the file and reload Apache. Open http://yourwebsite.com/form.php in the browser and enter text containing any of these words: pills, insurance, rolex.

You'll either see a 403 page and a log entry or only a log entry based on **SecRuleEngine** setting.  The syntax for SecRule is

<code bash>
SecRule VARIABLES OPERATOR [ACTIONS]
</code>

Here we used the chain action to match variables **REQUEST_FILENAME** with **form.php**, **REQUEST_METHOD** with **POST** and **REQUEST_BODY** with the regular expression (@rx) string (pills|insurance|rolex).  The **?i:** does a case insensitive match.  On a successful match of all these three rules, the ACTION is to **deny** and **log** with the msg "Spam detected."  The chain action simulates the logical AND to match all  three rules.

----

===== References =====

https://www.digitalocean.com/community/tutorials/how-to-set-up-mod_security-with-apache-on-debian-ubuntu