ModSecurity block specific string in request

Question

I want a ModSecurity rule, which block the access to any url or any Body request Post/Get, if it contains a specific string.

For example i want to block this string : "km0ae9gr6m"

I have this rule in placse but it doesnt seems to be working.

SecRule ARGS "km0ae9gr6m" "log,deny,msg:'Access Denied'"

score 8 · Answer 1 · answered Aug 13 '12 at 05:48

8

Which ModSecurity version are you using? ARGS variable only includes QUERY_STRING + POST_PAYLOAD in version 1.X. If you're running version 2.X, with your above rule, testing with a request as below:

http://domain.com/a?b=km0ae9gr6m

you'll see something like this in the audit_log:

[modsecurity] [client x.x.x.x] [domain domain.com] [302] [/20120813/20120813-1226/20120813-122624-70QXqH8AAAEA AEucDbkAAAAA] [file "/etc/httpd/modsecurity.d/modsecurity_crs_10_config.conf"] [line "305"] [msg "Access Denied"] Access denied with code 403 (phase 2). Pattern match "km0ae9gr6m" at ARGS:b.

In ModSecurity 2.x, ARGS expands to individual variables. So, try this:

SecRule REQUEST_URI|ARGS|REQUEST_BODY "km0ae9gr6m" "log,deny,msg:'Access Denied'"

answered Aug 13 '12 at 05:48

quanta

50,327
19
152
213

i am using modsecurity 2.6. And i have created an html page having this string in it. i have hosted that page on apache and with your rule above, it still opens the page and does not detects this string. – Farhan Aug 13 '12 at 08:24
I have tried with RESPONSE_BODY match as well, but still not working. i have pasted this string in an html page, tried to open it remotely and it opened without any issues. – Farhan Aug 13 '12 at 08:27
Your original question is not clear. If you want to filter output, as you posted belows, do it in [`phase:4`](http://www.modsecurity.org/documentation/modsecurity-apache/2.5.7/html-multipage/processing-phases.html). – quanta Aug 13 '12 at 08:59

score 2 · Accepted Answer · edited Nov 13 '16 at 08:36

2

The only thing that I was missing, was Processing phase, in which this rule must be put to make it work. so the actual rule is here.

SecRule REQUEST_URI|ARGS|REQUEST_BODY "km0ae9gr6m" "phase:4,log,deny,msg:'Access Denied'"

By this rule, you can easily block any type of response,that you do not want any user to see. Modsecurity will detect it on its way out to server and will block it.

edited Nov 13 '16 at 08:36

user1007727

421
5
20

answered Aug 13 '12 at 08:45

Farhan

4,210
9
47
76

in phase 4 you won't block anything... it already hit your server and you're responding to request... – Hrvoje Špoljar Aug 08 '14 at 18:59

Chris · Answer 3 · 2018-08-08T13:41:36.713

0

Above answer is correct, use phase:1. You can also use the "@contains" partial string match operator to stop a request that has the unwanted string as part of a longer string. For example, I don't have word press, so when I get requests for wp-login, wp-admin, etc., I can block them all with one rule: SecRule REQUEST_URI "@contains wp-" "id:101,phase:1,deny,status:409,msg:'Denied'"

On a side note, the message from msg: seems to only appear in the logs, the message the user sees I have added in the apache config ErrorDocument 409 "ACCESS STRICTLY FORBIDDEN"

edited Aug 08 '18 at 13:41

answered Aug 08 '18 at 13:21

Chris

1
1

1

Which answer says to use `phase:1`? And why do you send 409 Conflict? – Michael Hampton Aug 08 '18 at 13:53

ModSecurity block specific string in request

3 Answers3