Home
Reading
Searching
Subscribe
Sponsors
Statistics
Posting
Contact
Spam
Lists
Links
About
Hosting
Filtering
Features Download
Marketing
Archives
FAQ
Blog
 
Gmane
From: K. C. Li <li <at> laser.com>
Subject: Translation of v1 to v2 rules
Newsgroups: gmane.comp.apache.mod-security.user
Date: Friday 15th December 2006 11:23:15 UTC (over 10 years ago)
We used to have the following mod_security v1 rule to block countless
comment spam:

SecFilterSelective ARGS "(^|[^_])(comments?|story)=.*(href|http)"

However, the following translation (our interpretation) doesn't appear to
work in the same way.

SecRule
REQUEST_URI|REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer
"(^|[^_])(comments?|story)=.*(href|http)" \
        "deny,log,status:501,id:ZZ0004,severity:2,msg:'Comment Spam'"

What is the problem and how do we rectify it please?

While we are at it, are the following v1 rules correctly translated to
the next block of v2 rules please?

v1:

SecFilterSelective HTTP_x-aaaaaaaaa|HTTP_XAAAAAAAAA ".+$"
SecFilterSelective HTTP_x-aaaaaaaaaaa|HTTP_XAAAAAAAAAAA ".+$"
SecFilterSelective HTTP_x-aaaaaaaaaaaa|HTTP_X_AAAAAAAAAAAA ".+$"

v2 of the above rules:

SecRule HTTP_x-aaaaaaaaa|HTTP_XAAAAAAAAA ".+$" \
        "deny,log,status:501,id:ZZ0010,severity:2,msg:'Comment Spam'"
SecRule HTTP_x-aaaaaaaaaaa|HTTP_XAAAAAAAAAAA ".+$" \
        "deny,log,status:501,id:ZZ0011,severity:2,msg:'Comment Spam'"
SecRule HTTP_x-aaaaaaaaaaaa|HTTP_X_AAAAAAAAAAAA ".+$" \
        "deny,log,status:501,id:ZZ0012,severity:2,msg:'Comment Spam'"

Regards,

Kwong Li
[email protected]
Laser Business Systems Ltd.
http://www.laser.com
http://www.cbus-shop.com


-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share
your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
 
CD: 3ms