I've been trying to learn modsecurity lately and I am having issues creating a fairly simple ruleset. Can anyone help me to figure out whats wrong with this?
- Should set variable get_on_admin to 1 when a client does a GET /admin.php, expires 1800 seconds later
-- Client does a POST to /admin.php
-- AND Client referer is /admin.php
-- AND variable get_on_admin is not set to 1
Basically, I want to make sure there is a GET to admin.php within 30 minutes of doing a POST to make sure there was a proper display of the form before submiting it. I know it's not perfect and won't prevent bots from accessing the form but it's more for learning purposes and I'll build upon this afterwards...
Here's what I have come up with with various pieces of rules found on the internet:
SecRule REQUEST_LINE "^get .*/admin\.php" "t:lowercase,setvar:ip.get_on_admin=1,expirevar:ip.get_on_admin=1800,id:999402"
SecRule REQUEST_HEADERS:Referer "/admin\.php$" "chain"
SecRule IP:GET_ON_ADMIN "!@eq 1"