TechQA.

Chained rule not working in ModSecurity/Coraza

84 views Asked by At

ModSecurity rule chaining is not working (I'm using Coraza). For the following rules:

SecRule REQUEST_HEADERS:X-Forwarded-For "@ipMatch 3.4.5.6" "id:9,phase:1,chain"
SecRule REQUEST_HEADERS:Host "@eq bar.com" "id:10,phase:1,deny"

When I send the following request:

curl -v -H 'Host: bar.com' -H 'X-Forwarded-For: 3.4.5.6'  localhost

The two rules match, but the action in the second rule is not applied and the request is not denied.

I verified the rules are matching by seeing the following in the log:

2023/11/06 19:33:20 [DEBUG] Evaluating operator: MATCH tx_id="bqZkxImuTflWlGYCGVG" rule_id=9 operator_function="@ipMatch" operator_data="3.4.5.6" arg="3.4.5.6"
2023/11/06 19:33:20 [DEBUG] Evaluating operator: MATCH tx_id="bqZkxImuTflWlGYCGVG" rule_id=10 operator_function="@eq" operator_data="bar.com" arg="bar.com"
mod-security
Original Q&A
2

There are 2 answers

0
user2233706 On BEST ANSWER

The action has to be in the first rule that begins the chain:

SecRule REQUEST_HEADERS:X-Forwarded-For "@ipMatch 3.4.5.6" "id:9,phase:1,deny,chain"
SecRule REQUEST_HEADERS:Host "@eq bar.com" "id:10,phase:1"
0
José Carlos On

Thanks for the hardwork @user2233706, we really appreciate the time you dedicate to post/answer questions about Coraza. Come by the slack https://owasp.org/slack/invite to say hi if you aren't there already.

Related Questions in MOD-SECURITY

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json

Trending Questions