Re: [Mod-security-rules] Redirect if REQ Method is PUT and Content Type is Word

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Hi Maik,
Are you using Core Rule Set and if so which version?
Are you using the default scoring method of “Anomaly Scoring Mode”?

In Anomaly Scoring you have to change the default action at the very end of all the rules. So you need to set that in the file RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf
Make sure to remove the “.example” on that file. You will also want to check the example that is in there because the rule id# you use is going to be specific to your version of CRS.
Essentially, in the default Anomaly mode you have to update the action to the blocking rules that trigger once all the anomalies are added up. In the example below that is rules 949110 and 959100.
I also think that if you are redirecting you do not need to change the "status:302” as ModSecurity should default to that. But if you wanted a different HTML code you would put that in the rule id: 100 that I made below. Allowed codes for a redirect are: 301, 302, 303, or 307

Try adding this to RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf

# Redirect to another URL on blocking
#
SecRuleUpdateActionById 949110 "t:none,redirect:'http://mydomain/error.html'"
SecRuleUpdateActionById 959100 "t:none,redirect:'http://mydomain/error.html'"

Then in REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf you would add:

# Block all requests for application/msword
# 
SecRule REQUEST_HEADERS:Content-Type “@contains application/msword" \
    "id:100,\
    phase:2,\
    block,\
    t:none,\
    pass,\
    log,\
    chain’"
        SecRule REQUEST_METHOD “^PUT$”

Then restart  your web server.
The audit.log should show you how it processed so I’d check that after testing your rule.

> On Jun 10, 2020, at 4:31 AM, Maik Linnemann <mai...@pr...> wrote:
> 
> Dear List, 
>  
> i have a rule: 
>  
> SecRule REQUEST_HEADERS:Content-Type "@contains application/msword" "chain,id:1,block,log,auditlog"
>         SecRule REQUEST_METHOD "PUT"
>  
> And i have a default Action:
>  
> SecDefaultAction phase:1,status:302,redirect:/error.html,log,auditlog
>  
> But the redirection never happens when i upload a word document. It is blocked but no redirection.
>  
> The browser log says:
>  
> PUT https://my.domain.com/error.html <https://my.domain.com/error.html> net::ERR_TOO_MANY_REDIRECTS jquery.js:8630
>  
> I tried douzens of things, it never redirects. Can someone please help.
>  
> Thanks, 
>  
> With kind of regards, 
>  
> Maik
> .::provIT::.
> 
> Maik Linnemann
> 
> Brahmsstrasse 4a
> 
> 48291 Telgte
> 
> +49 177 3251429
> 
> mai...@pr... <mailto:mai...@pr...>_______________________________________________
> Mod-security-rules mailing list
> Mod...@li... <mailto:Mod...@li...>
> https://lists.sourceforge.net/lists/listinfo/mod-security-rules <https://lists.sourceforge.net/lists/listinfo/mod-security-rules>