I want to modify the response content using ModSecurity only if the file resides on a particular directory. I implemented the rules like this:
SecRule REQUEST_URI "@contains /admin/" "phase:2,chain,t:none,t:urlDecode,t:lowercase,t:normalizePath,deny,log"
SecRule STREAM_OUTPUT_BODY "@rsub s/test/replaced_string/" "phase:4,t:none,log,pass,msg:'String replaced'"
But after writing this rule, when I restart apache2, modsecurity gives me an error: ModSecurity: Disruptive actions can only be specified by chain starter rules. I tried writing the rules other way round too but it didn't help.
Any idea why it happens ?
Your rule makes no sense.
If its in the admin area deny it and look at next rule (chain), where you allow it to pass! Which is it? Block or pass?
Also you can't chain rules from two different phases (phase 2 in first rule in chain and phase 4 in second rule).
I'd suggest you probably want something like this:
SecRule REQUEST_URI "@contains /admin/" "phase:4,chain,t:none,t:urlDecode,t:lowercase,t:normalizePath,pass,log"
SecRule STREAM_OUTPUT_BODY "@rsub s/test/replaced_string/" "t:none,log,msg:'String replaced'"