What version of ModSecurity are you using?  Can you give some audit log examples of the type of transaction you want to block?  

 

My guess here is that while you do want to use RegEx anchors for the SCRIPT_FILENAME variable (to reduce evasions and false positives) it is probably too restrictive and is preventing the REQUEST_BODY variable from matching as there is probably other data present such as the parameter names, etc…

 

 


From: mod-security-users-bounces@lists.sourceforge.net [mailto:mod-security-users-bounces@lists.sourceforge.net] On Behalf Of SoFy DeNiro
Sent: Tuesday, May 27, 2008 9:15 AM
To: mod-security-users@lists.sourceforge.net
Subject: [mod-security-users] REQUEST_BODY question.

 

Hello,

I'm trying to make some files denied for any user,expect if he have 0 UID. I tried this rule :

SecRule SCRIPT_FILENAME|REQUEST_BODY "^/home/user/important\.php$" chain
SecRule "SCRIPT_UID "!^0$".

then, I can't log to this file from browser and that's fine, but I can get it from php codes, so that's mean the REQUEST_BODY didn't work..

any suggestions ?
Thanks.