[mod-security-users] Problem with REQUEST_BODY SecRule (not catching/denying)
Brought to you by:
victorhora,
zimmerletw
From: hanj <ma...@as...> - 2007-05-27 16:25:29
|
Hello All I'm still working on migrating boxes from 1.x to 2.x and overall, everything is working great. I'm having a weird issue with a custom rule though, and hoping that someone might be able to get me a nudge in the right direction. I'm using a stripped down and modified blacklist.conf from gotroot. http://www.gotroot.com/mod_security+rules I'm having trouble with the following: SecDefaultAction "log,deny,phase:1,status:403" SecRule REQUEST_BODY "(abc|efg|123)" for whatever reason, this is not being caught and denied with 403. I use this rule to help on comment spam. I have another layer behind this that is catching the spam (that's how I know the body has the words in the rule, etc.. because I get mailed the report from the spam catch) I use to have the following rule: SecFilterSelective POST_PAYLOAD "(abc|efg|123)" I had to change the exact regEx, since it was getting caught on pharma ban on the mailing list. Just substitute the abc, efg and 123 with the 'usual' pharma crap you get in spam. And it worked flawlessly. Any ideas? Current versions: apache-2.0.58-r2 mod_security-2.1.1 Thanks in advance. hanji |