Subject: Translation of v1 to v2 rules
Newsgroups: gmane.comp.apache.mod-security.user
Date: 2006-12-15 11:23:15 GMT (1 year, 30 weeks, 6 days, 17 hours and 36 minutes ago)
We used to have the following mod_security v1 rule to block countless
comment spam:
SecFilterSelective ARGS "(^|[^_])(comments?|story)=.*(href|http)"
However, the following translation (our interpretation) doesn't appear to
work in the same way.
SecRule
REQUEST_URI|REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer
"(^|[^_])(comments?|story)=.*(href|http)" \
"deny,log,status:501,id:ZZ0004,severity:2,msg:'Comment Spam'"
What is the problem and how do we rectify it please?
While we are at it, are the following v1 rules correctly translated to
the next block of v2 rules please?
v1:
SecFilterSelective HTTP_x-aaaaaaaaa|HTTP_XAAAAAAAAA ".+$"
SecFilterSelective HTTP_x-aaaaaaaaaaa|HTTP_XAAAAAAAAAAA ".+$"
SecFilterSelective HTTP_x-aaaaaaaaaaaa|HTTP_X_AAAAAAAAAAAA ".+$"
v2 of the above rules:
SecRule HTTP_x-aaaaaaaaa|HTTP_XAAAAAAAAA ".+$" \
"deny,log,status:501,id:ZZ0010,severity:2,msg:'Comment Spam'"
SecRule HTTP_x-aaaaaaaaaaa|HTTP_XAAAAAAAAAAA ".+$" \
"deny,log,status:501,id:ZZ0011,severity:2,msg:'Comment Spam'"
SecRule HTTP_x-aaaaaaaaaaaa|HTTP_X_AAAAAAAAAAAA ".+$" \
"deny,log,status:501,id:ZZ0012,severity:2,msg:'Comment Spam'"
Regards,
Kwong Li
li <at> laser.com
Laser Business Systems Ltd.
http://www.laser.com
http://www.cbus-shop.com
-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV