modsec custome rule

Hello,
i have a apache with mod security enable
i want to create a rule that block any page contain when open  for example c:\windows
thanks,
Amin El-ZeinAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

David FavorLinux/LXD/WordPress/Hosting SavantCommented:
You asked...

"i want to create a rule that block any page contain when open"

which sounds like you're trying to block all page accesses.

Easy way to do this is just to stop Apache.

Likely I've just misunderstood your question.

Clarify what you're asking a bit + likely someone can assist you.
0
Amin El-ZeinAuthor Commented:
i have some applications on behind server name app02
my server is working as reverse proxy+ mod sec name rp-srv
some applications show an errors when request some pages that contain some information about system like  c:\windows etc....
i want to block the pages that could contains this words if the client try to request it or the page show an error that contain c:\windows
thanks.
0
Dr. KlahnPrincipal Software EngineerCommented:
Using mod_security for this purpose is overkill - it's swatting a mosquito with a nuclear weapon.  Further (imo) mod_security log entries are incomprehensible when a rule engages.  Use mod_rewrite instead.

RewriteCond \windows [NC,OR]
(stick in more rules here as required)
RewriteRule .* [F,L]

Open in new window


Do be aware that this won't stop clever URLs where the URL is hexified.
0
The Firewall Audit Checklist

Preparing for a firewall audit today is almost impossible.
AlgoSec, together with some of the largest global organizations and auditors, has created a checklist to follow when preparing for your firewall audit. Simplify risk mitigation while staying compliant all of the time!

Amin El-ZeinAuthor Commented:
i cant use rewrite mode becuse i am mot talking about url i am talking about page content....
0
Dr. KlahnPrincipal Software EngineerCommented:
Such a rule would make it impossible to discuss anything related to Windows in the web pages on that system.
0
Amin El-ZeinAuthor Commented:
let say anyword for example "error"
0
Amin El-ZeinAuthor Commented:
the mean any page will load and have a "error" in content it will be blocked
0
Amin El-ZeinAuthor Commented:
Hello,
I resolve it by add a custom rule:
SecRule RESPONSE_BODY "Windows" "id:33334,deny,log,status:405,phase:response,msg:'the page show an error that contain a system information'"
Thanks.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Security

From novice to tech pro — start learning today.