Portal Home > Knowledgebase > Articles Database > Mod Security
Mod Security
Posted by bibook, 07-30-2009, 11:43 AM |
I try to use mod_security to prevent some script in some files,
imagine I want to block all scripts includes "test" in the body
so if code of script.php is :
and someone run script.php , I want block running and show 406 error
now can you tell me how can I write this rule in mod_security 2 with apache 2 ?
I use SecRule RESPONSE_BODY "test" but its now working ...
Thank you in advance
|
Posted by khunj, 07-30-2009, 01:05 PM |
Did you enable SecResponseBodyAccess ?
You'll need also to use the 'phase:4' action.
Note that loading your pages will be slow, in some cases it could even been horribly slow.
|
Posted by foobic, 07-30-2009, 07:56 PM |
Agreed - mod_security isn't a good way to do this. Have you thought about running a cron job to periodically search the web files? eg. something like:
|
Posted by bibook, 07-31-2009, 01:28 AM |
where shall I write this code and enable SecResponseBodyAccess ?
what do you mean phase:4 action ?
thanks
|
Posted by khunj, 07-31-2009, 04:11 AM |
Add the line anywhere inside your modsecurity configuration file, preferably on top of other rules.
Then add your custom rule :
|
Posted by bibook, 07-31-2009, 05:24 PM |
thanks
2 more question
do you have any reference regarding phase:4&... ? I want to learn more about it
second thing, it seems mod security rules are case sensitive ,
Am I right ?
I mean when ever we write
SecRule RESPONSE_BODY "test" "phase:4,...."
if in our code have "TeSt" it doesn't detect
how we can solve this problem ?
|
Posted by khunj, 08-01-2009, 01:53 AM |
RTFM
- Processing Phases
- lowercase or regexp
|
Posted by bibook, 08-01-2009, 02:51 AM |
any idea about case sensitive ?
|
Posted by khunj, 08-01-2009, 02:17 PM |
This is explained in the 2nd and 3rd links I posted :
- use 'lowercase' to convert output to lowercases and then compare it with the string you are looking for.
or
- use regexp with '?i'.
|
Add to Favourites Print this Article
Also Read