How to use RegEx for mod_security

Question

I have a directory/site set-up like this on my Apache/2.2.19 (Win32) Server using mod_security + core ruleset/2.2.1

/website1/login.php
/website2/login.php
/website3/login.php
/websiteN/login.php

In my modsecurity_crs_10_config.conf I have

setvar:'tx.brute_force_protected_urls=login.php'

The problem is that it won't work unless I type in the full path for each of the login.php pages, like so:

setvar:'tx.brute_force_protected_urls=/website1/login.php /website2/login.php andSoOn'

I have tried other ways with RegEx to work around it (e.g. /(.*)/login.php) but I can't seem to get it.

So, question is basically; how do you enforce BFP on all pages called login.php on the server?

Thanks.

score 0 · Answer 1 · answered Sep 07 '11 at 15:29

0

Try this:

setvar:'tx.brute_force_protected_urls=/login.php'

If it doesn't work, I suggest you enabling debug to see what the logs say.

answered Sep 07 '11 at 15:29

quanta

I can't see anything of interest in the log, just says it's checking against the url (/login.php) and does not return with a valid hit. I was trying to use .htaccess to configure, which would make life easier, but it won't work with v2 for security reasons. – PadraigD Sep 08 '11 at 10:15
When `code` setvar:tx.brute_force_protected_urls=/login.php `code` the log states `code` Warning. Match of "within %{tx.brute_force_protected_urls}" against "REQUEST_FILENAME" required `code` – PadraigD Sep 08 '11 at 10:51

score 0 · Accepted Answer · answered Sep 08 '11 at 13:33

I got it working. In 'modsecurity_crs_11_brute_force.conf' I had to change line 39:

SecRule REQUEST_FILENAME "!@within %{tx.brute_force_protected_urls}"  ...

to

SecRule REQUEST_FILENAME "!@contains %{tx.brute_force_protected_urls}" ...

and in 'modsecurity_crs_10_config.conf', have:

setvar:'tx.brute_force_protected_urls=/login.php' ...

Thanks for the help.

2 Answers2