Mod security 2.5 - Question about inspecting POST payload - Apache Web Server forum at WebmasterWorld

Forum Moderators: phranque

Message Too Old, No Replies

Mod security 2.5 - Question about inspecting POST payload

How to check RBLs against URI submissions

Cyberpundit

12:34 pm on May 15, 2011 (gmt 0)

Hi, I am using the "@rbl" command to block REMOTE_ADDR that is found in blacklists. My rule looks like this:


#---- USE RBLS 
SecRule REQUEST_FILENAME "^/comments.php" "log,chain,deny,msg:'Found at multi.uribl.com'"
SecRule REMOTE_ADDR "@rbl multi.uribl.com"

However, I wonder if this is truly matching URLs that have been submitted in the URL field of the form. Just the "REMOTE_ADDR", as in the IP of the person submitting the form.

So I tried the following:


SecRule REQUEST_METHOD "^((?:post|head))$" "t:none,t:lowercase,log,deny,msg:'FORM at zen.spamhaus.org',logdata:'%{matched_var}'"
SecRule ARGS:url "@rbl zen.spamhaus.org"

The "ARGS:url" means check the FORM INPUT field called "url". But this somehow seems to make my entire site really slow, and not once has it caught anything. I submitted a form on my site with a URL that is surely in Zen.SpamHaus.org, but I did not see mod_security block me.

Any tips on how to inspect any URL that may have been submitted in a form?

Thanks!

Cyberpundit

5:13 pm on May 15, 2011 (gmt 0)

Actually to explain in simple English what I am looking to accomplish:

I want to create a rule that does this:

1. Check all GET and POST requests to *specific files* on my server, not overall general stuff

2. If a URI is found in the GET or POST (through "ARGS"?) then check it against

(a) FIRST, a local list if possible -- blacklist will block it, whitelist will skip all rules

(b) IF not found in either list, then go for RBL (SpamHaus etc)

(c) If not found there, then also check Google Safe Browsing list

Thanks!

Cyberpundit

5:56 pm on May 16, 2011 (gmt 0)

No one?