User Tools

Site Tools


ubuntu:modsecurity:writing_your_own_mod_security_rules

Ubuntu - ModSecurity - Writing Your Own mod_security Rules

In this section, we'll create a rule chain which blocks the request if certain “spammy” words are entered in a HTML form. First, we'll create a PHP script which gets the input from a textbox and displays it back to the user.

/var/www/form.php
<html>
<body>
<?php
  if(isset($_POST['data']))
    echo $_POST['data'];
  else
  {
?>
    <form method="post" action="">
      Enter something here:<textarea name="data"></textarea>
      <input type="submit"/>
    </form>
<?php
  }
?>
/body>
</html>

Custom rules can be added to any of the configuration files or placed in modsecurity directories. We'll place our rules in a separate new file.

vi /etc/modsecurity/modsecurity_custom_rules.conf

Add the following to this file:

/etc/modsecurity/modsecurity_custom_rules.conf
SecRule REQUEST_FILENAME "form.php" "id:'400001',chain,deny,log,msg:'Spam detected'"
SecRule REQUEST_METHOD "POST" chain
SecRule REQUEST_BODY "@rx (?i:(pills|insurance|rolex))"

Save the file and reload Apache. Open http://yourwebsite.com/form.php in the browser and enter text containing any of these words: pills, insurance, rolex.

You'll either see a 403 page and a log entry or only a log entry based on SecRuleEngine setting. The syntax for SecRule is

SecRule VARIABLES OPERATOR [ACTIONS]

Here we used the chain action to match variables REQUEST_FILENAME with form.php, REQUEST_METHOD with POST and REQUEST_BODY with the regular expression (@rx) string (pills|insurance|rolex). The ?i: does a case insensitive match. On a successful match of all these three rules, the ACTION is to deny and log with the msg “Spam detected.” The chain action simulates the logical AND to match all three rules.


References

ubuntu/modsecurity/writing_your_own_mod_security_rules.txt · Last modified: 2020/07/15 09:30 by 127.0.0.1

Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki