Custom Modsec rule is not working
10 views
Skip to first unread message
Blason R
Apr 21, 2023, 1:46:49 PM4/21/23
to ModSecurity Core Rule Set project
Hi Team,
I am not pro but trying to write a custom rule which I thought should have been much simpler with nginx configuration. However I have been struggling with config for last two days and it did not work with nginx; hence eventually I decided to write my own rule to block the /administrator panel if the REQUEST_URI @contains.
Ervin Hegedüs
Apr 24, 2023, 3:05:30 AM4/24/23
to Blason R, ModSecurity Core Rule Set project
Hi Blason R,
On Fri, Apr 21, 2023 at 11:16:35PM +0530, Blason R wrote:
[...]
> Am I doing anything wrong here?
>
> Here are the requests
> 192.168.5.232 - - [21/Apr/2023:23:10:34 +0530] "GET /administrator
> HTTP/2.0" 301 165 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0)
> Gecko/20100101 Firefox/112.0"
> 192.168.5.232 - - [21/Apr/2023:23:10:53 +0530] "GET /administrator/
> HTTP/2.0" 302 154 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0)
> Gecko/20100101 Firefox/112.0"
> 192.168.5.232 - - [21/Apr/2023:23:11:03 +0530] "GET
> /administrator/Login.aspx?Session=Out HTTP/2.0" 200 6013 "-" "Mozilla/5.0
> (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/112.0"
>
> And here is the rule in modsecurity.conf
> SecRule REQUEST_URI "@contains /administrator"
> "id:10,phase:1,t:none,t:lowercase,deny,status:403,log,msg:'Admin Panel
> Unathorised Access'"
>
> And how do I allow or bypass certain IP addresses?
your rule seems good.
Could you turn on the debug log for a while, and check this rule?
SecDebugLog /var/log/nginx/modsec_debug.log
SecDebugLogLevel 9
and after sending a request, check the log, especially the rule
ID 10.
a.
On Fri, Apr 21, 2023 at 11:16:35PM +0530, Blason R wrote:
[...]
> Am I doing anything wrong here?
>
> Here are the requests
> 192.168.5.232 - - [21/Apr/2023:23:10:34 +0530] "GET /administrator
> HTTP/2.0" 301 165 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0)
> Gecko/20100101 Firefox/112.0"
> 192.168.5.232 - - [21/Apr/2023:23:10:53 +0530] "GET /administrator/
> HTTP/2.0" 302 154 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0)
> Gecko/20100101 Firefox/112.0"
> 192.168.5.232 - - [21/Apr/2023:23:11:03 +0530] "GET
> /administrator/Login.aspx?Session=Out HTTP/2.0" 200 6013 "-" "Mozilla/5.0
> (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/112.0"
>
> And here is the rule in modsecurity.conf
> SecRule REQUEST_URI "@contains /administrator"
> "id:10,phase:1,t:none,t:lowercase,deny,status:403,log,msg:'Admin Panel
> Unathorised Access'"
>
> And how do I allow or bypass certain IP addresses?
Could you turn on the debug log for a while, and check this rule?
SecDebugLog /var/log/nginx/modsec_debug.log
SecDebugLogLevel 9
and after sending a request, check the log, especially the rule
ID 10.
a.
Reply all
Reply to author
Forward
0 new messages