I'm a newbie using mod_security2. I have only being using it for about 3 weeks.
Hope someone can tell me how to accomplish the following. I'm looking for a way to create a rule that:
/SOMETHINGdate or timestamp) or (is exactly lastLogon)^[0-9]{4}-[0-9]{2}-[0-9]{2}T[0-9]{2}:[0-9]{2}:[0-9]{2}\.[0-9]{3}[-+]?[0-9]{4}$What I think the Reference Manual is missing, is an explained complex example of SecRule. Maybe I just couldn't find it, in which case, please forgive me and please point me in the right direction.
I'm using version 2.9.0
Maybe using chain or something like that?. Couldn't make it work (because of the needed boolean or). I don't know.
Since I'm already writing this request for help, maybe there is a shortcut it would be handy to know: I have many rules to write that apply if the url after the domain name begins with /SOMETHING, Is there an easy way to handle them?
Thanks in advance.
The working rules are:
SecRule REQUEST_FILENAME "@beginsWith /SOMETHING" \
"phase:1,t:none,nolog,pass,ctl:ruleRemoveTargetById=981173;ARGS:filters,id:'10000'"
SecRule ARGS:/(?i)^.*date.*$/|ARGS:/(?i)^.*timestamp.*$/|ARGS:/(?i)^lastLogin$/ \
"@rx ^[0-9]{4}-[0-9]{2}-[0-9]{2}T[0-9]{2}:[0-9]{2}:[0-9]{2}\.[0-9]{3}[-+]?[0-9]{4}$" \
"phase:2,chain,t:none,nolog,pass,id:'10010'"
SecRule REQUEST_FILENAME "@beginsWith /SOMETING" "ctl:ruleRemoveById=981173"
The problem i'm facing now is that the phase 2 one is not executed in my modsecurity_crs_15_customrules.conf configuration file, it only gets executed if it is placed in modsecurity.conf.
I'm still looking for a definitive solution for this new problem. (see: this other question)