I was wondering if there is a way to block multiple URLs with a single rule in ModSecurity? I have a list of 30+ URLs I would like to deny and log. I know I can block a single URL with a command such as:
SecRule REQUEST_URI "/url/to/block" "phase:1,id:'1000001',log,noauditlog,deny,status:403"
Do I need to write a rule for each URL or can they all be combined into the same rule?
You've a couple of choices to avoid multiple rules:
Have a really long rule using regex or pm. For example:
SecRule REQUEST_URI "@pm url1 url2 url3...etc." \
"phase:1,id:'1000001',log,noauditlog,deny,status:403"
Or list the URLs in a file and use pmFromFile to do the matching. For example:
SecRule REQUEST_URI "@pmFromFile /path/to/urlBlacklistFile" \
"phase:1,id:'1000001',log,noauditlog,deny,status:403"