This section provides more examples for Custom Rules.

  • To exclude all host header entries not in the list.

SecRule REQUEST_HEADERS:Host "!@pm ct-vs1.local ct-vs2.local" "msg:'Found bad hostname in request', severity:'CRITICAL', id:4913102, rev:'2', phase:request, block, t:none, t:lowercase, ver:'OWASP_CRS/3.0.0', maturity:'9', accuracy:'9', capture, logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}', tag:'application-multi', tag:'language-multi', tag:'platform-multi', tag:'attack-reputation-scanner', tag:'OWASP_CRS/AUTOMATION/SECURITY_SCANNER', tag:'WASCTC/WASC-21', tag:'OWASP_TOP_10/A7', tag:'PCI/6.5.10', setvar:'tx.msg=%{rule.msg}', setvar:tx.anomaly_score=+%{tx.critical_anomaly_score}, setvar:tx.%{rule.id}-OWASP_CRS/AUTOMATION/SECURITY_SCANNER-%{matched_var_name}=%{matched_var}, setvar:ip.reput_block_flag=1, expirevar:ip.reput_block_flag=%{tx.reput_block_duration}, setvar:'ip.reput_block_reason=%{rule.msg}'"
  • To bypass WAF engine for a specific IP address or subnet.

SecRule REMOTE_ADDR "@ipMatch 10.0.0.0/8" "id:10000,phase:1,nolog,pass,ctl:ruleEngine=Off"
  • To check the length of an input parameter.

SecRule ARGS:foo "@ge 24" "id:10001,t:length,phase:2,block,log,auditlog,msg:'Size of foo parameter too big'"
  • To check for java runtime and getruntime for specific CVE.

SecRule ARGS "@rx java\.lang\.runtime|getruntime" "id:4050100, phase:request, t:none, t:lowercase, block, msg:'Java Injection found', tag:'application-multi', tag:'language-java', tag:'framework-spring',tag:'CVE-2018-1273', severity:'CRITICAL'"
  • To bypass a special parameter for a specific rule.

SecRule REQUEST_URI "@contains /vulnerabilities/fi/" id:4000088,phase:1,t:none,nolog,pass,ctl:ruleRemoveTargetById=930120;ARGS:page
  • To configure Positive rule in ModSec.

SecRule ARGS:id "!@rx ^[0-9]+$" id:12345,phase:2,t:none,block,log,auditlog,msg:'id is not a number'
  • To XXE through Custom Rule.

SecRule REQBODY_PROCESSOR "@streq xml" id:4099801,phase:2,t:none,t:trim,t:lowercase,block,chain SecRule REQUEST_BODY "@rx <!ENTITY\s+[^>\s]*\s+SYSTEM"
  • To use detectSQL Operator on last path element.

SecRule REQUEST_FILENAME “@rx ^/(?:[^/]/)(.*)$” \ “id:4099819,\ phase:2,\ block,\ capture,\ t:none,t:utf8toUnicode,t:urlDecodeUni,t:removeNulls,\ msg:’SQL Injection Attack Detected via libinjection’,\ logdata:’Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}’,\ tag:’application-multi’,\ tag:’language-multi’,\ tag:’platform-multi’,\ tag:’attack-sqli’,\ tag:’OWASP_CRS/WEB_ATTACK/SQL_INJECTION’,\ tag:’WASCTC/WASC-19’,\ tag:’OWASP_TOP_10/A1’,\ tag:’OWASP_AppSensor/CIE1’,\ tag:’PCI/6.5.2’,\ tag:’paranoia-level/3’,\ ver:’OWASP_CRS/3.1.0’,\ severity:’CRITICAL’,\ chain” SecRule TX:1 “@detectSQLi” \ “setvar:’tx.anomaly_score_pl3=+%{tx.critical_anomaly_score}’,\ setvar:’tx.sql_injection_score=+%{tx.critical_anomaly_score}’,\ setvar:’tx.msg=%{rule.msg}’,\ setvar:’tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQL_INJECTION-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}’”
  • To Detect HTTP DeSync attack.

SecRule &REQUEST_HEADERS:Content-Length "@gt 0" "id:4099820,phase:1,t:none,block,msg:'HTTP Desync attack detected',chain" SecRule REQUEST_HEADERS:Transfer-Encoding "@contains chunked" "t:none,t:lowercase"