[mod-security-users] Trouble scanning POST Payload
Brought to you by:
victorhora,
zimmerletw
From: hanj <ma...@as...> - 2009-05-18 02:32:50
|
Hello All I'm getting stumped on a what I think should be a simple mod_sec rule. Lately, I've been seeing a lot of 'Good site, admin' contact emails from various sites. I want to start blocking these, but I'm having trouble scanning the post (or something else). I have a custom rule set 11_custom.conf and I've tried these two rules. Either seem to be catching my tests: SecRule REQUEST_METHOD "^POST$" "chain,auditlog,log,deny,phase:2,status:403,t:urlDecodeUni, t:htmlEntityDecode,t:lowercase,id:20090517,rev:3,severity:2,msg:'Contact Spam Probe'" SecRule REQUEST_BODY ".*Good site, admin.*" and SecRule REQUEST_BODY ".*Good site, admin.*" "auditlog,log,deny,phase:2,status:403,t:urlDecodeUni, t:htmlEntityDecode,t:lowercase,id:20090517,rev:3,severity:2,msg:'Contact Spam Probe'" I'm running the following packages: apache-2.2.11 mod_security-2.1.2 Any ideas what I'm missing here? Thanks! hanji |