Need rule to block requests with ARGS_NAMES that begin with specific character

[Joseph Jozwik]

Working on a rule to block traffic based on the starting character of ARGS_NAMES either cookie, get or post

Example allow

name=Joe

Example block

#name=Joe

Test rule that is not working

SecRule ARGS_NAMES "^(#.*)$" "phase:1,id:199,log,deny,msg:'Block Argname with hash'"

[Chaim Sanders]

I see what you're going for. Check out the regex the OWASP Core Rule Set
twitter (https://twitter.com/CoreRuleSet) just suggested:

SecRule ARGS_NAMES|REQUEST_COOKIES_NAMES "@rx ^#|[(?:\'|\")?#.*]"
"id:123,phase:2,deny,status:403,t:urldecodeuni,msg:'SA-CORE-2018-002'"

On Thu, Mar 29, 2018 at 10:10 AM, Joseph Jozwik jjozwik@users.sourceforge.net wrote:

Working on a rule to block traffic based on the starting character of
ARGS_NAMES either cookie, get or post

Example allow

name=Joe

Example block
name=Joe

Test rule that is not working

SecRule ARGS_NAMES "^(#.*)$" "phase:1,id:199,log,deny,msg:'Block Argname
with hash'"

---

Need rule to block requests with ARGS_NAMES that begin with specific
character
https://sourceforge.net/p/mod-security/discussion/1298046/thread/bca9ce04/?limit=25#9f40

---

Sent from sourceforge.net because you indicated interest in
https://sourceforge.net/p/mod-security/discussion/1298046/

To unsubscribe from further messages, please visit
https://sourceforge.net/auth/subscriptions/

--

Chaim Sanders
http://www.ChaimSanders.com

[Joseph Jozwik]

Yes that is it :-)

[Joseph Jozwik]

These rules seems to work

SecRule ARGS_GET_NAMES "^(#.*)$" "id:193,log,deny,msg:'Block ARGS Name with hash GET'"

SecRule ARGS_POST_NAMES "^(#.*)$" "id:192,log,deny,msg:'Block ARGS Name with hash POST',logdata:'%{tx.httpbl_msg}',setvar:tx.httpbl_msg=$"

SecRule REQUEST_COOKIES_NAMES "^(#.*)$" "id:194,log,deny,msg:'Block ARGS Name with hash COOKIE'"