I would also add "t:lowercase" to your rule, so that Hello or hello or hEllo .. can be intercepted as well:

SecRule QUERY_STRING "@rx ^(hello|how|are)" "phase:2,t:none,t:lowercase,block,id:'1',msg:'SLR: ',logdata:'%{matched_var}',severity:'2',tag:'WEB',tag:'111',tag:'test'"


Marcus Semblano
CT - Segurança | Security Specialist
T: 11 3544-0444

Locaweb – www.locaweb.com.br
Líder em Hosting Infrastructure Services no Brasil e na América Latina em 2012, segundo a IDC

From: Ryan Barnett [RBarnett@trustwave.com]
Sent: Monday, December 16, 2013 9:53 AM
To: <mod-security-users@lists.sourceforge.net>
Cc: mod-security-users@lists.sourceforge.net
Subject: Re: [mod-security-users] QUERY_STRING Rule is not working

Remove the "chain" action. That is only needed if you are joining multiple rules together. 

Ryan Barnett

Lead Security Researcher, SpiderLabs




On Dec 16, 2013, at 5:07 AM, "Yogesh patel" <yogeshpateldaiict@gmail.com> wrote:


I have one rule stated below which will check query string contains hello or how or are , if it then it block that request.

SecRule QUERY_STRING "@rx ^(hello|how|are):" "chain,phase:2,t:none,block,id:'1',msg:'SLR: ',logdata:'%{matched_var}',severity:'2',tag:'WEB',tag:'111',tag:'test'"

Is above rule fine?  Its not working. It does not block the request having "http://xxx.com/hello=how".



Yogesh Patel

Rapidly troubleshoot problems before they affect your business. Most IT
organizations don't have a clear picture of how application performance
affects their revenue. With AppDynamics, you get 100% visibility into your
Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro!
mod-security-users mailing list
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:

This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.