Hello,

I've been trying to learn modsecurity lately and I am having issues creating a fairly simple ruleset. Can anyone help me to figure out whats wrong with this?

- Should set variable get_on_admin to 1 when a client does a GET /admin.php, expires 1800 seconds later
- Should redirect a client to http://google.com/ with status 303 when
-- Client does a POST to /admin.php
-- AND Client referer is /admin.php
-- AND variable get_on_admin is not set to 1

Basically, I want to make sure there is a GET to admin.php within 30 minutes of doing a POST to make sure there was a proper display of the form before submiting it. I know it's not perfect and won't prevent bots from accessing the form but it's more for learning purposes and I'll build upon this afterwards...

Here's what I have come up with with various pieces of rules found on the internet:

<LocationMatch ".*admin\.php$">

SecAction "initcol:ip=%{REMOTE_ADDR},id:999400,pass,nolog"
SecRule REQUEST_LINE "^get .*/admin\.php" "t:lowercase,setvar:ip.get_on_admin=1,expirevar:ip.get_on_admin=1800,id:999402"

SecRule REQUEST_LINE "^post .*/admin\.php" "t:lowercase,redirect:http://google.com/,status:303,chain,id:999403"
SecRule REQUEST_HEADERS:Referer "/admin\.php$" "chain"
SecRule IP:GET_ON_ADMIN "!@eq 1"

</LocationMatch>


What wrong with it? Any suggestions on how this could be achieved?


Thanks!