[mod-security-users] Translation of v1 to v2 rules

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

We used to have the following mod_security v1 rule to block countless
comment spam:

SecFilterSelective ARGS "(^|[^_])(comments?|story)=.*(href|http)"

However, the following translation (our interpretation) doesn't appear to
work in the same way.

SecRule
REQUEST_URI|REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer
"(^|[^_])(comments?|story)=.*(href|http)" \
        "deny,log,status:501,id:ZZ0004,severity:2,msg:'Comment Spam'"

What is the problem and how do we rectify it please?

While we are at it, are the following v1 rules correctly translated to
the next block of v2 rules please?

v1:

SecFilterSelective HTTP_x-aaaaaaaaa|HTTP_XAAAAAAAAA ".+$"
SecFilterSelective HTTP_x-aaaaaaaaaaa|HTTP_XAAAAAAAAAAA ".+$"
SecFilterSelective HTTP_x-aaaaaaaaaaaa|HTTP_X_AAAAAAAAAAAA ".+$"

v2 of the above rules:

SecRule HTTP_x-aaaaaaaaa|HTTP_XAAAAAAAAA ".+$" \
        "deny,log,status:501,id:ZZ0010,severity:2,msg:'Comment Spam'"
SecRule HTTP_x-aaaaaaaaaaa|HTTP_XAAAAAAAAAAA ".+$" \
        "deny,log,status:501,id:ZZ0011,severity:2,msg:'Comment Spam'"
SecRule HTTP_x-aaaaaaaaaaaa|HTTP_X_AAAAAAAAAAAA ".+$" \
        "deny,log,status:501,id:ZZ0012,severity:2,msg:'Comment Spam'"

Regards,

Kwong Li
li...@la...
Laser Business Systems Ltd.
http://www.laser.com
http://www.cbus-shop.com