Not being all that experienced with mod_sec, I've set out today to read
a load of docs, and write a rule to fix a particular hole in a legacy
Here is my rule:
SecRule ARGS:domain_name "!@rx (?i:[[:alnum:]\.\-]+)"
"log,deny,msg:'argument to domain_name parameter disallowed'"
At the moment, the rule is triggered if the domain_name variable is
blank, but not if I put in something like <script>alert('xss')</script>
The audit log shows this when matching the blank argument:
Message: Access denied with code 501 (phase 4). Match of "rx
(?i:[[:alnum:]\\.\\-]+)" against "ARGS:domain_name" required. [msg
"argument to domain_name parameter disallowed"]
Can anyone suggest what I'm doing wrong, and how I can ensure that the
argument to the domain_name= parameter matches [[:alnum:]\.\-]+ and