Remove the "chain" action. That is only needed if you are joining multiple rules together. 

Ryan Barnett

Lead Security Researcher, SpiderLabs

 

Trustwave | SMART SECURITY ON DEMAND

www.trustwave.com


On Dec 16, 2013, at 5:07 AM, "Yogesh patel" <yogeshpateldaiict@gmail.com> wrote:

HI

I have one rule stated below which will check query string contains hello or how or are , if it then it block that request.

SecRule QUERY_STRING "@rx ^(hello|how|are):" "chain,phase:2,t:none,block,id:'1',msg:'SLR: ',logdata:'%{matched_var}',severity:'2',tag:'WEB',tag:'111',tag:'test'"


Is above rule fine?  Its not working. It does not block the request having "http://xxx.com/hello=how".


--


Regards,

Yogesh Patel


------------------------------------------------------------------------------
Rapidly troubleshoot problems before they affect your business. Most IT
organizations don't have a clear picture of how application performance
affects their revenue. With AppDynamics, you get 100% visibility into your
Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro!
http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk
_______________________________________________
mod-security-users mailing list
mod-security-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/



This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.